Edit tour

Windows Analysis Report
wechat-3.9.7-installer_ae-GFz1.exe

Overview

General Information

Sample name:	wechat-3.9.7-installer_ae-GFz1.exe
Analysis ID:	1450567
MD5:	c9db32520878a90f367b284f5f765ab7
SHA1:	e59b03e0dfe13054a30eb68a04b0cd7cc0456e1a
SHA256:	5dc9eafb99e68c0ef77d151ea645736d19393fffc3e01d9dbb073584893b99a4
Infos:

Detection

PureLog Stealer

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	52
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Creates an autostart registry key pointing to binary in C:\Windows

Drops large PE files

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs Task Scheduler Managed Wrapper

Reads the Security eventlog

Reads the System eventlog

Tries to harvest and steal browser information (history, passwords, etc)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Registers a DLL

Sample file is different than original file name gathered from version info

Searches the installation path of Mozilla Firefox

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potentially Suspicious Rundll32 Activity

Sigma detected: Suspicious Rundll32 Setupapi.dll Activity

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

query blbeacon for getting browser version

Classification

Process Tree

System is w10x64

wechat-3.9.7-installer_ae-GFz1.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe" MD5: C9DB32520878A90F367B284F5F765AB7)

wechat-3.9.7-installer_ae-GFz1.tmp (PID: 6540 cmdline: "C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp" /SL5="$1040C,837551,832512,C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe" MD5: 053B158842578C53DB20AD6835B8658B)

component0.exe (PID: 7068 cmdline: "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240601224314&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i MD5: DDFFAA966C03DC4BEF4DCB947DCC474B)

cldwur4x.exe (PID: 2640 cmdline: "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent MD5: 6C0F8BF824E17C2F0DDFF150D8DC7488)

RAVEndPointProtection-installer.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent MD5: 31CB221ABD09084BF10C8D6ACF976A21)

rsSyncSvc.exe (PID: 3608 cmdline: "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10 MD5: 3068531529196A5F3C9CB369B8A6A37F)

conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 3344 cmdline: "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf MD5: EF3179D498793BF4234F708D3BE28633)

runonce.exe (PID: 3588 cmdline: "C:\Windows\system32\runonce.exe" -r MD5: 9ADEF025B168447C1E8514D919CB5DC0)

grpconv.exe (PID: 2308 cmdline: "C:\Windows\System32\grpconv.exe" -o MD5: 8531882ACC33CB4BDC11B305A01581CE)

wevtutil.exe (PID: 2668 cmdline: "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml MD5: 1AAE26BD68B911D0420626A27070EB8D)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fltMC.exe (PID: 916 cmdline: "fltmc.exe" load rsKernelEngine MD5: 6AB08CADCE7DF971A043DCD1257D7374)

conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wevtutil.exe (PID: 1440 cmdline: "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml MD5: 1AAE26BD68B911D0420626A27070EB8D)

conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rsWSC.exe (PID: 3844 cmdline: "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i MD5: D8021F3B7E9C952B7EC33B929183E8EF)

rsClientSvc.exe (PID: 1892 cmdline: "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i MD5: 9170244A34CB903FC5DFBE4159DB6F16)

conhost.exe (PID: 564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rsEngineSvc.exe (PID: 6200 cmdline: "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i MD5: D8053B9FDBDBB3E32CF583AACB29D1EE)

saBSI.exe (PID: 4856 cmdline: "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US MD5: 143255618462A577DE27286A272584E1)

installer.exe (PID: 3020 cmdline: "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade MD5: 58B8915D4281DB10762AF30EAF315C9E)

installer.exe (PID: 6380 cmdline: "C:\Program Files\McAfee\Temp3475153614\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade MD5: B2B02A72E98408C9E0EBD5036BD7A092)

regsvr32.exe (PID: 2176 cmdline: regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 1988 cmdline: /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 2252 cmdline: regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 6536 cmdline: regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 6656 cmdline: /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 6568 cmdline: regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

WerFault.exe (PID: 6032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6268 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rsSyncSvc.exe (PID: 2212 cmdline: "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10 MD5: 3068531529196A5F3C9CB369B8A6A37F)

Uninstall.exe (PID: 6196 cmdline: "C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=RavStub MD5: 6C0F8BF824E17C2F0DDFF150D8DC7488)

Uninstall.exe (PID: 6416 cmdline: "C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe" /auto-repair=RavStub MD5: 6C0F8BF824E17C2F0DDFF150D8DC7488)

RAVEndPointProtection-installer.exe (PID: 3512 cmdline: "C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe" /auto-repair=RavStub MD5: 31CB221ABD09084BF10C8D6ACF976A21)

svchost.exe (PID: 6832 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6540 -ip 6540 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6072 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6540 -ip 6540 MD5: C31336C1EFC2CCB44B4326EA793040F2)

servicehost.exe (PID: 6560 cmdline: "C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe" MD5: AF384AA87E3D70F7A687C5C60DA2FB7F)

uihost.exe (PID: 3428 cmdline: "C:\Program Files\McAfee\WebAdvisor\UIHost.exe" MD5: D1BEFCFE26C5C2132BDABBF332306004)

rsWSC.exe (PID: 3588 cmdline: "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" MD5: D8021F3B7E9C952B7EC33B929183E8EF)

rsClientSvc.exe (PID: 5548 cmdline: "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" MD5: 9170244A34CB903FC5DFBE4159DB6F16)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ATY5CJG3\rsServiceController.DLL	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsJSON.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsWSC.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\mc.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsLogger.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\UDOOGFD5\rsAtom.DLL	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsTime.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\KRK4DVBJ\rsJSON.DLL	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsAtom.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.JSONInterface.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsJSON.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsHelper.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsDatabase.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsLogger.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsDatabase.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsBridge.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsTime.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.JSON.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsAtom.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ZMMW8FDC\rsLogger.DLL	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Proxy.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 68 entries

Memory Dumps

Source	Rule	Description	Author
0000002D.00000002.2437605904.000002BC41312000.00000002.00000001.01000000.00000034.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2807618602.00000220FE912000.00000002.00000001.01000000.00000038.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000023.00000000.2377819043.0000013169FE2000.00000002.00000001.01000000.00000023.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2541457093.00000220952CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002D.00000002.2437311674.000002BC412D2000.00000002.00000001.01000000.00000033.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2813307929.00000220FEB02000.00000002.00000001.01000000.00000039.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002D.00000000.2419994897.000002BC3F702000.00000002.00000001.01000000.00000030.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002D.00000002.2437962183.000002BC413EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2506176810.000002208072E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002D.00000002.2445270867.000002BC5A9D2000.00000002.00000001.01000000.00000035.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000003.2030874846.000000000274A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000003.2035288824.0000000002746000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000003.2033491650.000000000274A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2814717721.00000220FEB42000.00000002.00000001.01000000.0000003A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.RAVEndPointProtection-installer.exe.220957eb6d0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
45.0.rsEngineSvc.exe.2bc3f700000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
45.2.rsEngineSvc.exe.2bc412d0000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RAVEndPointProtection-installer.exe.220feb40000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RAVEndPointProtection-installer.exe.220fe910000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RAVEndPointProtection-installer.exe.220feb00000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
35.0.rsWSC.exe.13169fe0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
45.2.rsEngineSvc.exe.2bc41310000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RAVEndPointProtection-installer.exe.220957eb6d0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
45.2.rsEngineSvc.exe.2bc5a9d0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: grpconv -o, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\rundll32.exe, ProcessId: 3344, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv

Sigma detected: Potentially Suspicious Rundll32 Activity

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf, CommandLine: "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf, CommandLine|base64offset|contains: [HZ, Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent, ParentImage: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe, ParentProcessId: 6024, ParentProcessName: RAVEndPointProtection-installer.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf, ProcessId: 3344, ProcessName: rundll32.exe

Sigma detected: Suspicious Rundll32 Setupapi.dll Activity

Source: Process started

Author: Konstantin Grishchenko, oscd.community: Data: Command: "C:\Windows\system32\runonce.exe" -r, CommandLine: "C:\Windows\system32\runonce.exe" -r, CommandLine|base64offset|contains: , Image: C:\Windows\System32\runonce.exe, NewProcessName: C:\Windows\System32\runonce.exe, OriginalFileName: C:\Windows\System32\runonce.exe, ParentCommandLine: "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 3344, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\system32\runonce.exe" -r, ProcessId: 3588, ProcessName: runonce.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6832, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: wechat-3.9.7-installer_ae-GFz1.exe

Virustotal: Detection: 20%

Perma Link

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_008214F0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CryptMsgGetParam,CertFreeCRLContext,CertFreeCRLContext,	6_2_008214F0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_008217A0 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptQueryObject,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,	6_2_008217A0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007D5870 GetCurrentProcessId,GetCurrentThreadId,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,UuidCreate,UuidCreate,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	6_2_007D5870
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007D6220 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,	6_2_007D6220
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0080E610 CryptMsgClose,	6_2_0080E610
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007D67B0 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,	6_2_007D67B0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0080EB60 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptQueryObject,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,	6_2_0080EB60
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0080F150 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertFreeCRLContext,	6_2_0080F150
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0080F3C0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertGetNameStringW,CertGetNameStringW,CertGetCertificateChain,CertFreeCertificateChain,CertFreeCertificateChain,CertVerifyCertificateChainPolicy,CertFreeCertificateChain,CertFreeCRLContext,CertFreeCRLContext,	6_2_0080F3C0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396914A0 CryptQueryObject,GetLastError,CryptMsgGetParam,GetLastError,LocalAlloc,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,CertGetNameStringW,CertGetNameStringW,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	9_2_00007FF6396914A0

Compliance

Uses 32bit PE files

Source: wechat-3.9.7-installer_ae-GFz1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

Window detected: HYPERLINK "https://risecodes.com/terms" Terms of UseHYPERLINK "https://risecodes.com/privacy" Privacy PolicyHYPERLINK "https://hello.softonic.com/terms-of-use" End User License AgreementHYPERLINK "https://hello.softonic.com/privacy-policy" Privacy PolicyThis will download WeChat to your computer click "Next" to continue.Welcome to WeChat Download Manager&NextCancel

Creates a directory in C:\Program Files

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\uninstall.ico	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_100_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_200_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\icudtl.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSES.chromium.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\am.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ar.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bg.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ca.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\cs.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\da.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\de.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\el.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-GB.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-US.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es-419.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\et.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fa.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fil.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\gu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\he.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\id.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\it.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ja.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\kn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ko.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lt.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ml.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\mr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nb.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-BR.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-PT.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ro.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ru.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sw.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\te.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\th.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\tr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\uk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ur.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\vi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-CN.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-TW.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\v8_context_snapshot.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\version	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader_icd.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ARM64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Signatures.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\WhiteList.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.JSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsBridge.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Proxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.JSONInterface.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\uninstall.ico	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EDR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EDR\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EDR\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\amd64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ARM64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\EDR
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\EDR\amd64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\EDR\x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\manifest.json
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsClient.Protection.Microphone.dll.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsEngine.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsEngineSvc.exe.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsExtensionHost.exe.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsHelper.exe.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsRemediation.exe.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\SecurityProductInformation.ini
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\Signatures.dat
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.sig
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\manifest.json
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\WhiteList.dat
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\analyticsmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\analyticstelemetry.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\balloon_safe_annotation.png
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\browserhost.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\browserplugin.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\downloadscan.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\eventmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\icon_complete.png
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\icon_failed.png
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\icon_laptop.png
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\installer.exe
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\jquery-1.9.0.min.js
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\l10n.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\logicmodule.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\logicscripts.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\lookupmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\main_close_large.png

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP

Jump to behavior

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RAVEndPointProtection-installer.exe.log	Jump to behavior
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	File created: C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	File created: C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-cs-CZ.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-da-DK.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-de-DE.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-el-GR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-en-US.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-es-ES.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-es-MX.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-fi-FI.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-fr-CA.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-fr-FR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-hr-HR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-hu-HU.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-it-IT.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-ja-JP.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-ko-KR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-nb-NO.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-nl-NL.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-pl-PL.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-pt-BR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-pt-PT.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-ru-RU.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-sk-SK.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-sr-Latn-CS.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-sv-SE.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-tr-TR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-zh-CN.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-zh-TW.txt

PE / OLE file has a valid certificate

Source: wechat-3.9.7-installer_ae-GFz1.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: wechat-3.9.7-installer_ae-GFz1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: rsAtom.pdb source: cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2814717721.00000220FEB42000.00000002.00000001.01000000.0000003A.sdmp, Uninstall.exe, 0000000D.00000003.2030874846.000000000274A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\ServiceHost.pdbu source: installer.exe, 00000015.00000003.2279804803.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsWSC.pdb source: rsWSC.exe, 00000023.00000000.2377819043.0000013169FE2000.00000002.00000001.01000000.00000023.sdmp, rsWSC.exe, 00000023.00000002.2391526354.00000131000A0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\SettingManager.pdb source: installer.exe, 00000015.00000003.2284950546.000001EE50616000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\WebAdvisor-accesslib-caller_main@2\Build\x64\Release\caller_dll.pdb source: installer.exe, 00000015.00000000.2184712865.00007FF7F5BD2000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: component0.exe, 00000003.00000000.1901418219.0000022CF9882000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: rsTime.pdb source: cldwur4x.exe, 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2035288824.0000000002746000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1@2\build\Win32\Release\Resource.pdbGCTL source: installer.exe, 00000015.00000003.2275014753.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\BrowserHost.pdbe source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\LogicModule.pdb source: installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\non_system\code\WebAdvisor-ISGIS\build\x64\Release\Installer.pdb$ source: installer.exe, 00000012.00000002.2429013846.00007FF62C89B000.00000002.00000001.01000000.0000001A.sdmp, installer.exe, 00000012.00000000.2140165890.00007FF62C89B000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1@2\build\Win32\Release\Resource.pdb source: installer.exe, 00000015.00000003.2275014753.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\RavStub\obj\Release\RavStub.pdb source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 00000009.00000002.1991906507.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 00000009.00000000.1989460441.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000B.00000000.1991099416.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000B.00000002.2881117473.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, Uninstall.exe, 0000000D.00000003.2036725160.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\x64\Release\ArchiveUtility.pdb source: cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2017575775.000000000274C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\ServiceHost.pdb source: installer.exe, 00000015.00000003.2279804803.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdbHG source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsServiceController.pdb source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\TaskManager.pdb source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: cldwur4x.exe, 00000007.00000003.1947303929.0000000002756000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2806047428.00000220FE8D2000.00000002.00000001.01000000.00000037.sdmp, Uninstall.exe, 0000000D.00000003.2034651192.0000000002745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\TaskManager.pdb{ source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2816590508.00000220FEBF2000.00000002.00000001.01000000.0000003B.sdmp, Uninstall.exe, 0000000D.00000003.2018820324.000000000274C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\BrowserHost.pdb source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\non_system\code\WebAdvisor-ISGIS\build\x64\Release\Installer.pdb source: installer.exe, 00000012.00000002.2429013846.00007FF62C89B000.00000002.00000001.01000000.0000001A.sdmp, installer.exe, 00000012.00000000.2140165890.00007FF62C89B000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\UIHost.pdb source: installer.exe, 00000015.00000003.2297053110.000001EE5049E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsDatabase.pdb source: cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2029522577.0000000002749000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000006.00000000.1925610612.000000000087E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000006.00000002.2499426343.000000000087E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\Installer.pdb source: installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\LookupManager.pdb source: installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\WATaskManager.pdb] source: servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb@ source: cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsLogger.pdb source: cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2807618602.00000220FE912000.00000002.00000001.01000000.00000038.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208072E000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2033491650.000000000274A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\UIHost.pdbu source: installer.exe, 00000015.00000003.2297053110.000001EE5049E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2816590508.00000220FEBF2000.00000002.00000001.01000000.0000003B.sdmp, Uninstall.exe, 0000000D.00000003.2018820324.000000000274C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\EventManager.pdb source: installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdb source: cldwur4x.exe, 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2813307929.00000220FEB02000.00000002.00000001.01000000.00000039.sdmp, Uninstall.exe, 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 00000009.00000002.1991906507.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 00000009.00000000.1989460441.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000B.00000000.1991099416.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000B.00000002.2881117473.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, Uninstall.exe, 0000000D.00000003.2036725160.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsLogger.pdbx source: cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2807618602.00000220FE912000.00000002.00000001.01000000.00000038.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208072E000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2033491650.000000000274A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\AnalyticsManager.pdb source: installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\LookupManager.pdbG source: installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\WATaskManager.pdb source: servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp

Spreading

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405C4D
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_0040689E FindFirstFileW,FindClose,	7_2_0040689E
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_00402930 FindFirstFileW,	7_2_00402930
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_00405C4D
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_0040689E FindFirstFileW,FindClose,	12_2_0040689E
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_00402930 FindFirstFileW,	12_2_00402930
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	13_2_00405C4D
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_0040689E FindFirstFileW,FindClose,	13_2_0040689E
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_00402930 FindFirstFileW,	13_2_00402930

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll, type: DROPPED

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 13.89.179.12 13.89.179.12

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 9_2_00007FF63969FAA0 URLDownloadToFileA,

9_2_00007FF63969FAA0

Source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%u.%u.%u.%uhttps://%%=?=?&/invalid
Source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp, servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1%
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080131000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220802AB000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABF56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atom-production-collector-cyber-224812358.us-east-1.elb.amazonaws.com
Source: rsWSC.exe, 00000023.00000002.2399301928.000001316C7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: rsWSC.exe, 00000023.00000002.2399301928.000001316C7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: rsWSC.exe, 00000023.00000002.2399301928.000001316C7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.di
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2123262523.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2123357289.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135461095.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134846945.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133059757.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2265476089.000001EE4FBF6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2194448368.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2237382180.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2282895132.000001EE4FC04000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2193246767.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241871701.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2233615654.000001EE4FC02000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2205120374.000001EE4FBF7000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2201944985.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2286889085.000001EE4FC06000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2289188082.000001EE4FC04000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2281619071.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2286349170.000001EE4FC06000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2252740253.000001EE4FC00000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2205207739.000001EE4FBFC000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2284001971.000001EE4FC07000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2276194710.000001EE4FBF5000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2191940595.000001EE4FBFC000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2253740323.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947303929.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2794260712.000002209BEB0000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2017575775.000000000274C000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2034651192.0000000002745000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2506624754.000000000599C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138023335.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2472403485.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2505936389.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135261217.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2506806509.00000000059DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: installer.exe, 00000015.00000003.2292325560.000001EE4FC0B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2293179625.000001EE4FC00000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2291864796.000001EE4FC0A000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2293382960.000001EE4FC06000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2291494417.000001EE4FC07000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2293130187.000001EE4FBF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA25?9
Source: installer.exe, 00000015.00000003.2188340891.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2187273099.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedR
Source: installer.exe, 00000015.00000003.2301150634.000001EE4FC04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.cr
Source: installer.exe, 00000015.00000003.2219969551.000001EE4FC1A000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2220262135.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABF9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn.reasonsecurity.com
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx000Z
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx3
Source: servicehost.exe, 00000025.00000003.2389230555.0000012830346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxQ
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxX
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxZ
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxd
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxm
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxnalPl
Source: servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxq
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx~.w
Source: rsWSC.exe, 00000023.00000002.2399301928.000001316C7CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: installer.exe, 00000015.00000003.2242621140.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2240714489.000001EE4FC1A000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241770693.000001EE4FC12000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2240251199.000001EE4FC1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.gl
Source: installer.exe, 00000015.00000003.2205861065.000001EE4FC1A000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2203579464.000001EE4FC1A000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2204062389.000001EE4FC12000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2204948508.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codP
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2290004891.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2234210490.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300820263.000001EE4FC10000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2292906319.000001EE4E346000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FC19000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2253380848.000001EE4E343000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2261006075.000001EE4FBB6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2280349808.000001EE4E350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138227025.0000000005645000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138227025.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137286489.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2290004891.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2214701595.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300820263.000001EE4FC10000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2292906319.000001EE4E346000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FC19000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: servicehost.exe, 00000025.00000003.2448406106.00000130318B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: servicehost.exe, 00000025.00000003.2448406106.00000130318B5000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2450748310.00000128310AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: rsWSC.exe, 00000023.00000002.2398788699.000001316C750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rsWSC.exe, 00000023.00000002.2396723546.000001316C38B000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2398588354.000001316C560000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA2.crl0t
Source: rsWSC.exe, 00000023.00000002.2398788699.000001316C750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: rsWSC.exe, 00000023.00000002.2398788699.000001316C750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: rsWSC.exe, 00000023.00000002.2399645841.000001316C80F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: rsWSC.exe, 00000023.00000002.2396723546.000001316C380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: installer.exe, 00000015.00000003.2274352631.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2274869646.000001EE4FBF6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2273783818.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertA
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2123262523.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2123357289.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135461095.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134846945.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133059757.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947303929.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2794260712.000002209BEB0000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2017575775.000000000274C000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2034651192.0000000002745000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: installer.exe, 00000015.00000003.2235787126.000001EE4FBFC000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2235706676.000001EE4FBFA000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2236080063.000001EE4FC02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA40
Source: installer.exe, 00000015.00000003.2208815228.000001EE4FBFA000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2209181233.000001EE4FBFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA409
Source: installer.exe, 00000015.00000003.2186791041.000001EE4FBFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeSt
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2506624754.000000000599C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138023335.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2472403485.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2505936389.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135261217.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2506806509.00000000059DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Uninstall.exe, 0000000D.00000003.2033491650.000000000274A000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2290004891.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2234210490.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2214701595.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2215589067.000001EE4FBF7000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300820263.000001EE4FC10000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2211444795.000001EE4FBF7000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2188621378.000001EE4FC0C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2292906319.000001EE4E346000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FC19000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2253380848.000001EE4E343000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2261006075.000001EE4FBB6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2238066985.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2280349808.000001EE4E350000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2260816379.000001EE4E34B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2262550015.000001EE4FBB6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300890272.000001EE4FC06000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2265315112.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2275164985.000001EE4E359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: installer.exe, 00000015.00000003.2203387093.000001EE4FC1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.r
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947303929.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2794260712.000002209BEB0000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2017575775.000000000274C000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2034651192.0000000002745000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: rsWSC.exe, 00000023.00000002.2396723546.000001316C38B000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2398588354.000001316C560000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2396723546.000001316C380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rsWSC.exe, 00000023.00000002.2394688885.000001316A204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enx
Source: component0.exe, 00000003.00000002.2859609295.0000022C800AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d14mh4uvqj4iiz.cloudfront.net
Source: RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABF9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d2zcbe2x5jnnru.cloudfront.net
Source: rsWSC.exe, 00000023.00000002.2396723546.000001316C380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.mcafee.com/
Source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.mcafee.com/SaveEulaTrackingDetailsHost:
Source: cldwur4x.exe, 00000007.00000000.1936764730.000000000040A000.00000008.00000001.01000000.0000000F.sdmp, cldwur4x.exe, 00000007.00000002.2854568957.000000000040A000.00000004.00000001.01000000.0000000F.sdmp, Uninstall.exe, 0000000C.00000000.2006547741.000000000040A000.00000008.00000001.01000000.00000013.sdmp, Uninstall.exe, 0000000C.00000002.2011545321.000000000040A000.00000004.00000001.01000000.00000013.sdmp, Uninstall.exe, 0000000D.00000002.2877853412.000000000040A000.00000004.00000001.01000000.00000015.sdmp, Uninstall.exe, 0000000D.00000000.2010907065.000000000040A000.00000008.00000001.01000000.00000015.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: installer.exe, 00000015.00000003.2295074056.000001EE4E345000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2296750219.000001EE4E345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digic
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947303929.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2794260712.000002209BEB0000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2017575775.000000000274C000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2034651192.0000000002745000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2123262523.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2123357289.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135461095.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134846945.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133059757.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2506624754.000000000599C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138023335.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2472403485.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2505936389.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135261217.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2506806509.00000000059DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: installer.exe, 00000015.00000003.2203387093.000001EE4FC1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2290004891.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2234210490.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300820263.000001EE4FC10000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2292906319.000001EE4E346000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FC19000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2253380848.000001EE4E343000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2261006075.000001EE4FBB6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2280349808.000001EE4E350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138227025.0000000005645000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138227025.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137286489.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2290004891.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2234210490.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2214701595.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300820263.000001EE4FC10000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2292906319.000001EE4E346000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FC19000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: servicehost.exe, 00000025.00000003.2448406106.00000130318B5000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2450748310.00000128310AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: servicehost.exe, 00000025.00000003.2448406106.00000130318B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: installer.exe, 00000015.00000003.2291792213.000001EE4FBB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.comp
Source: rsWSC.exe, 00000023.00000002.2396723546.000001316C38B000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2398588354.000001316C560000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: component0.exe, 00000003.00000002.2859609295.0000022C80091000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: saBSI.exe, 00000006.00000003.2131438015.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/
Source: saBSI.exe, 00000006.00000003.2131438015.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2290004891.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2234210490.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300820263.000001EE4FC10000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2292906319.000001EE4E346000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FC19000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2253380848.000001EE4E343000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2261006075.000001EE4FBB6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2280349808.000001EE4E350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138227025.0000000005645000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138227025.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137286489.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2290004891.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2234210490.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2214701595.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300820263.000001EE4FC10000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2292906319.000001EE4E346000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FC19000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: servicehost.exe, 00000025.00000003.2448406106.00000130318B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: component0.exe, 00000003.00000002.2859609295.0000022C800AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://shield.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080131000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220802AB000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABF56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://track.analytics-data.io
Source: rsWSC.exe, 00000023.00000002.2399301928.000001316C7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: rsWSC.exe, 00000023.00000002.2399301928.000001316C7CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: rsWSC.exe, 00000023.00000002.2398490791.000001316C47E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: rsWSC.exe, 00000023.00000002.2399510309.000001316C802000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947303929.0000000002756000.00000004.00000020.00020000.00000000.sdmp, cldwur4x.exe, 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2794260712.000002209BEB0000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2017575775.000000000274C000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2034651192.0000000002745000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1629559307.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.2236295126.000000000225A000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.0000000002420000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1638609190.00000000034E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: rsWSC.exe, 00000023.00000002.2399301928.000001316C7D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: servicehost.exe, 00000025.00000003.2396094556.0000012830FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mcafee.com
Source: rsWSC.exe, 00000023.00000002.2398788699.000001316C750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: http://www.siteadvisor.com/favicon.ico
Source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.siteadvisor.com/favicon.icoF59B2EC8-1D34-435D-B539-435BA415D1B6aapocclcgogkmnckokdopfmhon
Source: installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.siteadvisor.com/favicon.icoMcAfeebepbmhgboaologfdajaanbcjmnhjmhfnapdfllckaahabafndbhieahi
Source: installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.siteadvisor.com/favicon.icoblpcfgokakmgnkcojhhkbfbldkacnbeobepbmhgboaologfdajaanbcjmnhjmh
Source: servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: http://www.siteadvisor.com/favicon.icomanifest.json
Source: rsWSC.exe, 00000023.00000002.2399645841.000001316C80F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.3.1
Source: installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://.servicebus.windows.net/&se=&skn=Failed
Source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp, servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://127.0.0.1%
Source: saBSI.exe, 00000006.00000003.1950985232.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486026799.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2078584756.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/f
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/m
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486026799.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2078584756.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record8
Source: saBSI.exe, 00000006.00000003.2078584756.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordB
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordE
Source: saBSI.exe, 00000006.00000003.1950985232.0000000002E5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordM
Source: saBSI.exe, 00000006.00000003.1950985232.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordZ
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/record
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/recordtribution
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.come
Source: saBSI.exe, 00000006.00000000.1925610612.000000000087E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000006.00000002.2499426343.000000000087E000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/r
Source: servicehost.exe, 00000025.00000002.2915694125.0000013042600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.application/jsontransport_api_endpoint
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.qa.apis.mcafee.com
Source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.qa.apis.mcafee.comhttps://analytics.apis.mcafee.com&skn=Failed
Source: installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://analytics.qa.apis.mcafee.comhttps://analytics.apis.mcafee.comContent-Type:
Source: RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABF9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.reasonsecuX
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080131000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABB7C000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABF9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080131000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABB7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.reasonsecurity.com/rav-dist/packages/ReasonLabs-EPP-x64-v5.30.4.7z
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcafee&type=E280CH91088G0&p=
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcafee&type=E280CH91088G0&p=R
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcafee&type=E500CH91088G0&p=
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcafee&type=E580CH91088G0&p=
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcafee&type=E580CH91088G0&p=L
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcasa&type=E110CH91088G0&p=
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcasa&type=E110CH91088G0&p=:
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcasa&type=E170CH91088G0&p=
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcasa&type=E180CH91088G0&p=
Source: servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?fr=mcasa&type=E180CH91088G0&p=#
Source: servicehost.exe, 00000025.00000003.2822435756.0000013031927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/gossip/gossip-ch-partner?output=fxjson&appid=mca&source=yahoo_mcafe
Source: installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/detail/mcafee%C2%AE-secure-search/enppghjcblldgigemljohkgpcompnjg
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com/v
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com/v1
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com/v1/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com/v1/g
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com/v1/ge
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com/v1/get
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://comipass.reasonsecurity.com/v1/getX
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecurity.com/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config-beta.reasonsecurity.com/X
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecurity.com/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://config.reasonsecurity.com/X
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cu1pehnswad01.servicebus.windows.net/wadp32h02/messages?timeout=60&api-version=2014-01b
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2224394122.0000000005441000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695566836.0000000000A56000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1991743876.0000000005440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1629559307.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.0000000002420000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1638609190.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2215944559.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2217967515.000000000366D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.png
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.png-&w
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.pngQ;
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.pngp&
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.pngqF
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.00000000024B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip0fQ
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipSOR
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipSORD
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/WebAdvisor/images/880/update2/EN.png
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/f/WebAdvisor/images/880/update2/EN.pngO
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1629559307.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.0000000002420000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1638609190.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2215944559.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.00000000024F2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/o
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000074ED000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2215944559.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/zbd
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/zbd-8
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.000000000254A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/zbd.
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.000000000254A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/zbdY
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/zbdpA
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net/zbds_A
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net:443/zbd
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d2dbdb0phbn9qb.cloudfront.net:443/zbd9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080131000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABB7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://electron-shell.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABB7C000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABB77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://electron-shell.reasonsecurity.com/v1.4.2/ReasonLabs-v1.4.2.7z
Source: cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2816590508.00000220FEBF2000.00000002.00000001.01000000.0000003B.sdmp, Uninstall.exe, 0000000D.00000003.2018820324.000000000274C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2029522577.0000000002749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2029522577.0000000002749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.000000000757B000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2215944559.0000000003656000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gsf-fl.softonic.com/361/738/abda546ab2fc780789a74d376a5f1f4ceb/WeChatSetup.exe?Expires=17171
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.0000000005360000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hello.softonic.com/privacy-policy
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hello.softonic.com/privacy-policyion
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.0000000005360000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hello.softonic.com/terms-of-use
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hello.softonic.com/terms-of-use304bf58efb17b6130391c6f350bd5b200f_ARCHITECTURE
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mW
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafe)
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/R
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Ro
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aYl
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx?i
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx?id=
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx?id=eula
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafeef
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafz
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://images.sftcdn.net/images/t_app-icon-s
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000000.1628880938.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity.co
Source: Uninstall.exe, 0000000D.00000003.2034651192.0000000002745000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity.comX
Source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_
Source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/platform/products/rav/privacy-policy?utm_source=rav_antivirus_installer
Source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/platform/products/rav/terms?utm_source=rav_antivirus_installer
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.0000000005395000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesm/rsSt
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2224394122.0000000005441000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1991743876.0000000005440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesm/rsStj
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiest.net/f/RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.png
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiest.net/f/WebAdvisor/images/880/update2/EN.pngO
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.0000000005395000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/rav_online_security_policies
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/rav_online_security_policieseV0
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/rav_online_security_policieses
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/rav_online_security_policiestmlV_Bisli_Logo_bcg_V2/DOTPS-588/EN.png
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/rav_online_security_policiestmlr.pngupdate2/EN.png
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000074F7000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2215944559.00000000035A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://risecodes.com/privacy
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000074F7000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2215944559.00000000035A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://risecodes.com/terms
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://risecodes.com/terms/
Source: servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/
Source: servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/%
Source: saBSI.exe, 00000006.00000003.2028162188.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/&
Source: saBSI.exe, 00000006.00000003.2028162188.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2015414132.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/C
Source: servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/CC
Source: servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/EB
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/p
Source: servicehost.exe, 00000025.00000003.2450748310.00000128310AD000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2821510973.0000013041DCD000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2453464846.00000128310AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/
Source: saBSI.exe	String found in binary or memory: https://sadownload.mcafee.com/products/SA/
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979261516.0000000002ED5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1964522174.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml/
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979261516.0000000002ED5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1964522174.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/
Source: saBSI.exe, 00000006.00000003.1979176506.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_Distribut
Source: saBSI.exe, 00000006.00000003.1979144528.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2001482393.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979245095.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979316837.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml
Source: saBSI.exe, 00000006.00000003.1979297592.00000000055C4000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1978994671.00000000055C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml/
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xmlM
Source: saBSI.exe, 00000006.00000003.1979144528.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979245095.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979316837.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRulesISB.xml
Source: saBSI.exe, 00000006.00000003.1979297592.00000000055C4000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1978994671.00000000055C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRulesISB.xml/
Source: saBSI.exe, 00000006.00000003.1979176506.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486026799.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRulesISB.xmlalue=
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002E5C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979261516.0000000002ED5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2001482393.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1964522174.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml
Source: saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml/
Source: saBSI.exe, 00000006.00000003.2001482393.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xmlv
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979261516.0000000002ED5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1964522174.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/
Source: saBSI.exe, 00000006.00000003.2486133896.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2122780803.00000000055C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2485866665.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979261516.0000000002ED5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2015109896.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2027977822.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131499733.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2015221625.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2028162188.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2015414132.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053115287.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1964522174.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml
Source: saBSI.exe, 00000006.00000003.2015109896.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2473044728.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137581289.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053470694.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2485441210.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2027977822.00000000055DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml/
Source: saBSI.exe, 00000006.00000003.2028162188.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2015414132.0000000002EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xmlg
Source: saBSI.exe, saBSI.exe, 00000006.00000000.1925610612.000000000087E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000006.00000003.1950985232.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2499426343.000000000087E000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_main.xml
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979261516.0000000002ED5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1964522174.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml/
Source: saBSI.exe, 00000006.00000000.1925610612.000000000087E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000006.00000002.2499426343.000000000087E000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/UPDATER_VERSIONaffidosplatSELF_UPDATE_ALLOWEDMAIN_XMLSTORE
Source: saBSI.exe, saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.json
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonIFIER=I
Source: servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonP4
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonPath=C:
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsontoItXP11
Source: saBSI.exe, 00000006.00000003.2486133896.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2122780803.00000000055C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2485866665.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2015109896.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2027977822.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131499733.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053115287.00000000055C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi
Source: saBSI.exe, 00000006.00000003.2015109896.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2473044728.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137581289.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053470694.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2485441210.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2027977822.00000000055DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979261516.0000000002ED5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1964522174.0000000002ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1979176506.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2486237341.0000000002ECB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml/
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/binary
Source: saBSI.exe, 00000006.00000003.2123144495.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/898/
Source: saBSI.exe, 00000006.00000003.2123144495.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xml
Source: saBSI.exe, 00000006.00000003.2123144495.0000000002EEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml
Source: servicehost.exe, 00000025.00000003.2396094556.0000012830FAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/WebAdvisor/Win/update_product.xml
Source: servicehost.exe, 00000025.00000003.2822435756.0000013031927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/WebAdvisor/Win/update_product.xmlser_protection_score).
Source: servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/WebAdvisor/Win/update_product_dataConfig.xml
Source: servicehost.exe, 00000025.00000003.2389558951.000001283035F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2389558951.000001283035F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa(
Source: saBSI.exe, 00000006.00000003.2486133896.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2122780803.00000000055C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2485866665.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2015109896.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2027977822.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131499733.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053115287.00000000055C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary
Source: saBSI.exe, 00000006.00000003.2015109896.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2473044728.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137581289.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053470694.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2485441210.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2027977822.00000000055DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary/
Source: saBSI.exe, 00000006.00000003.2053785665.00000000055FE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2122780803.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2078411123.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053115287.00000000055FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/pc/partner_custom_vars.xml
Source: servicehost.exe, 00000025.00000003.2395302436.0000012830F6A000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2394364010.0000012830F6A000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2915403088.0000013041E64000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2396094556.0000012830F3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/win/ca/update.xml
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa6
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saB
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saP
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saR=
Source: saBSI.exe, 00000006.00000000.1925610612.000000000087E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000006.00000002.2499426343.000000000087E000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saUPDATER_URLupdater.exeWebAdvisor_Updaterheron_hostthreat.ap
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2389558951.000001283035F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saY0
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sadows_
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sallowedFl
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sallowedal
Source: installer.exe, 00000015.00000003.2284950546.000001EE50616000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279804803.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp, installer.exe, 00000015.00000003.2297053110.000001EE5049E000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saupdater.exeWebAdvisor_Updaterthreat.api.mcafee.comheron_tok
Source: servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saurnalpoc
Source: servicehost.exe, 00000025.00000003.2822435756.0000013031927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com:443/products/WebAdvisor/Win/update_product_dataConfig.xml
Source: servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: rsWSC.exe, 00000023.00000002.2396723546.000001316C38B000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2398588354.000001316C560000.00000004.00000020.00020000.00000000.sdmp, rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/R
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/Re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/Rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/Reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/Reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/Reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonL
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLa
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLab
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-D
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-DN
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-DNS
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-DNS-
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-DNS-setup.exe?id=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-V
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VP
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-s
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-se
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-set
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.e
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.ex
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?o
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oi
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=2
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&d
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dt
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=t
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=tr
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=tru
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&p
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&pt
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&i
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&id
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&id=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.co
Source: component0.exe, 00000003.00000002.2859609295.0000022C8009E000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/R
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/Re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/Rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/Reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/Reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/Reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonL
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLa
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLab
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-D
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DN
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-s
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-se
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-set
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.e
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.ex
Source: component0.exe, 00000003.00000000.1901418219.0000022CF9882000.00000002.00000001.01000000.0000000B.sdmp, component0.exe, 00000003.00000002.2859609295.0000022C80001000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.exe
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.exe?
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.exe?i
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.exe?id
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.exe?id=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-E
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EP
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-s
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-se
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-set
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setup
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setup.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setup.e
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setup.ex
Source: component0.exe, 00000003.00000000.1901418219.0000022CF9882000.00000002.00000001.01000000.0000000B.sdmp, component0.exe, 00000003.00000002.2859609295.0000022C80001000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setup.exe
Source: component0.exe, 00000003.00000002.2859609295.0000022C8009E000.00000004.00000800.00020000.00000000.sdmp, component0.exe, 00000003.00000002.2859609295.0000022C80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setup.exe?dui=9e146be9-c76a-4720-bcdb-53011b87bd06&
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setup.exeX
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-V
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VP
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-s
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-se
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-set
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.e
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.ex
Source: component0.exe, 00000003.00000000.1901418219.0000022CF9882000.00000002.00000001.01000000.0000000B.sdmp, component0.exe, 00000003.00000002.2859609295.0000022C80001000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?o
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oi
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=2
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&d
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dt
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=t
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=tr
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=tru
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&p
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&pt
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&i
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&id
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&id=
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe130391c6f350bd5b200f(
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeges/880/update2/EN.pngs
Source: component0.exe, 00000003.00000002.2859609295.0000022C80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com:443/ReasonLabs-EPP-setup.exe?dui=9e146be9-c76a-4720-bcdb-53011b87b
Source: cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.a
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.an
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.ana
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.anal
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analy
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABF88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analyt
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analyti
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytic
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-d
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-da
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-dat
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.i
Source: RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.io
Source: RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.io(
Source: RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.io/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.io/X
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.ioX
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.ioYTD2bje3MpZmRHfvPqjEhgac5rqRkvTdeZLa&4?y
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud-beta.reasonsecurity.comX
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ud.reasonsecurity.comX
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/
Source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/live
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/u
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/up
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/upd
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/upda
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/updat
Source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/update
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/updateX
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.r
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.re
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.rea
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reas
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reaso
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reason
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasons
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonse
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsec
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecu
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecur
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecuri
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurit
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220800BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/
Source: rsSyncSvc.exe, 0000000B.00000002.2876299769.0000018992E00000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live
Source: rsSyncSvc.exe, 0000000B.00000002.2876299769.0000018992E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live-bn:ReasonLabs-dt:10
Source: rsSyncSvc.exe, 00000009.00000002.1991678784.0000026D93EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live-dt:10
Source: rsSyncSvc.exe, 00000009.00000002.1991678784.0000026D93EFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/liveP2
Source: rsSyncSvc.exe, 0000000B.00000002.2876299769.0000018992E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livelivedll
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/u
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/up
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/upd
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/upda
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/updat
Source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/update
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/updateX
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000075B4000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000075C2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wechat.en.softonic.com&Filename=WeChatSetup.exe
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.00000000024EB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wechat.en.softonic.com&Filename=WeChatSetup.exeLINK
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wechat.en.softonic.com&Filename=WeChatSetup.exec.com&Filename=WeChatSetup.exe
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.00000000024EB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wechat.en.softonic.com&Filename=WeChatSetup.exel
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.00000000024CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wechat.en.softonic.com/
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2212930638.0000000002551000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wechat.en.softonic.comA
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eD
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-produc
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-products
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-productsC
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/pr
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/pri
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/eula
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacy
Source: rsWSC.exe, 00000023.00000002.2399510309.000001316C802000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: rsWSC.exe, 00000023.00000002.2399510309.000001316C802000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.forbes.com/sites/forbestechcouncil/2022/07/13/why-do-hacks-happen-four-ubiquitous-motiva
Source: installer.exe, 00000015.00000003.2283460924.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2281619071.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.glo.
Source: installer.exe, 00000015.00000003.2287899474.000001EE4FC06000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2287714016.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/reposI=
Source: installer.exe, 00000015.00000003.2257662101.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1924914911.00000000053FB000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1925856309.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2133543794.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138227025.0000000005645000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134635690.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131010474.0000000005607000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2136998310.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134588942.0000000005881000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137550371.000000000591D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2135654827.0000000005646000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2138227025.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137286489.0000000005687000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2134797695.0000000005646000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2290004891.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2234210490.000001EE4FC2B000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2214701595.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300820263.000001EE4FC10000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2292906319.000001EE4E346000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2283460924.000001EE4FC19000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	String found in binary or memory: https://www.google.com/search?q=%s
Source: installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=%sSoftware
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000026F0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000000.1636976723.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/c7
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/co
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/con
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consI
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consu
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consum
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000075F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consume
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2217967515.000000000366D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/e
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2217967515.000000000366D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/p
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/polic
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/global/R
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2261224459.000001EE5049A000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2261434562.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/global/legal.html
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/globp
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000075E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/l
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000075E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/le
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2217967515.000000000366D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html0391c6
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html7
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlOC;
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html_B
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlz;
Source: installer.exe, 00000012.00000003.2182206269.000002236E0C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/nl-nl/policy/legal.html
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html
Source: servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlL
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlR
Source: servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlT1
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlX
Source: servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlhttp://cac
Source: saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlj
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlq
Source: regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlu
Source: installer.exe, 00000012.00000003.2182206269.000002236E0C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/legal
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computers
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacy
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.c
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.co
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.com
Source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.com/
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.com/X
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000026F0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000000.1636976723.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: installer.exe, 00000015.00000003.2249551185.000001EE4E34C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2249328069.000001EE50496000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.siteadvisor.com/ff/install
Source: installer.exe, 00000015.00000003.2279051517.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2200549679.000001EE4FBF9000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2300890272.000001EE4FC06000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2265476089.000001EE4FBF6000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2194448368.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2237382180.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2282895132.000001EE4FC04000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2193246767.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241871701.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2233615654.000001EE4FC02000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2205120374.000001EE4FBF7000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2201944985.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2286889085.000001EE4FC06000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2289188082.000001EE4FC04000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2281619071.000001EE4FBF3000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2286349170.000001EE4FC06000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2252740253.000001EE4FC00000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2205207739.000001EE4FBFC000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2284001971.000001EE4FC07000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2276194710.000001EE4FBF5000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2191940595.000001EE4FBFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwwwssdep.cabsitory/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe

Code function: 7_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

7_2_00405705

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam\rselam.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\elam\rselam.cat	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe

File dropped: C:\Program Files\McAfee\Temp3475153614\jslang\eula-en-US.txt -> encryption key for your account secure because without them you may lose access to your data. you are solely responsible and liable for any activity that occurs under your account, including by anyone who uses your account. if there is any unauthorized use or access to your account, you must let us know immediately. we are not responsible for any loss caused by unauthorized use of or access to your account; however, you may be liable for any losses we or others suffer because of the unauthorized use. we do not have access to master passwords and cannot recover your encrypted data if you forget the master password for any password management feature or product. we offer both free and premium versions of our password and identity management software, and the free versions limit the maximum number of unique accounts (such as a website or application login) that you can store. if you have downloaded a premium version of the software at no cost during a promotion, then when the promotional period ends you will not

Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1 (copy) entropy: 7.99597518735	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1.zip (copy) entropy: 7.99597518735	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe entropy: 7.99268446314	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z entropy: 7.99998386038	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Users\user\AppData\Local\Temp\electron.7z entropy: 7.99999530372	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources.pak entropy: 7.99555496455	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\analyticsmanager.cab entropy: 7.99966205396	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\browserhost.cab entropy: 7.99940458789	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\browserplugin.cab entropy: 7.99921375745	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\downloadscan.cab entropy: 7.99971567747	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\eventmanager.cab entropy: 7.99961026418	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\logicmodule.cab entropy: 7.99963027056	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\lookupmanager.cab entropy: 7.99940721056	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\mfw-webadvisor.cab entropy: 7.99749591242	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\mfw.cab entropy: 7.99504677769	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\servicehost.cab entropy: 7.99683451054	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\settingmanager.cab entropy: 7.99942430965	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\taskmanager.cab entropy: 7.9996376975	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\uihost.cab entropy: 7.99722395671	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\uimanager.cab entropy: 7.99950321932	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\uninstaller.cab entropy: 7.99937886305	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\updater.cab entropy: 7.99943711138	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\wataskmanager.cab entropy: 7.99986130185	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\wssdep.cab entropy: 7.9988485709	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	File created: C:\Program Files\McAfee\WebAdvisor\e10ssaffplg.xpi entropy: 7.99707344308	Jump to dropped file

System Summary

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

File dump: rsAppUI.exe.8.dr 166021264

Jump to dropped file

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007D6220: GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,

6_2_007D6220

Contains functionality to delete services

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 9_2_00007FF639694BB0 RegCreateKeyExW,RegCloseKey,OutputDebugStringW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

9_2_00007FF639694BB0

Contains functionality to launch a process as a different user

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 9_2_00007FF6396BE4D0 WTSGetActiveConsoleSessionId,ProcessIdToSessionId,OpenProcess,OpenProcessToken,CloseHandle,GetLastError,DuplicateTokenEx,CloseHandle,CreateProcessAsUserW,CloseHandle,WaitForSingleObject,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

9_2_00007FF6396BE4D0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	7_2_0040351C
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	12_2_0040351C
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	13_2_0040351C

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

File created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

File created: C:\Windows\system32\drivers\rsCamFilter020502.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\system32\drivers\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\system32\drivers\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\system32\drivers\rsElam.sys	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007D4F50	6_2_007D4F50
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007D8FB0	6_2_007D8FB0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007D70D9	6_2_007D70D9
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007D5110	6_2_007D5110
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007DF110	6_2_007DF110
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007F73B0	6_2_007F73B0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0080D540	6_2_0080D540
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00811840	6_2_00811840
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007F3AC0	6_2_007F3AC0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0080FFE0	6_2_0080FFE0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00808190	6_2_00808190
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_008183A0	6_2_008183A0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0080A540	6_2_0080A540
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007BA610	6_2_007BA610
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00858609	6_2_00858609
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00820660	6_2_00820660
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_008147C0	6_2_008147C0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_008128A0	6_2_008128A0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_008668E0	6_2_008668E0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00860992	6_2_00860992
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00840919	6_2_00840919
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00860AB2	6_2_00860AB2
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007B2B00	6_2_007B2B00
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00840B4B	6_2_00840B4B
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00840DB0	6_2_00840DB0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0083ADD0	6_2_0083ADD0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00816D43	6_2_00816D43
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007E8EA0	6_2_007E8EA0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007BCF40	6_2_007BCF40
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0080F150	6_2_0080F150
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007FD2C0	6_2_007FD2C0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0084933A	6_2_0084933A
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0084B340	6_2_0084B340
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_008514AF	6_2_008514AF
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0081B4F0	6_2_0081B4F0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007B5400	6_2_007B5400
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00817602	6_2_00817602
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007BF830	6_2_007BF830
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0085D8E0	6_2_0085D8E0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0084390B	6_2_0084390B
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00813A30	6_2_00813A30
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007EFB40	6_2_007EFB40
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007E3C50	6_2_007E3C50
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007DBCB0	6_2_007DBCB0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_007B7D10	6_2_007B7D10
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_00406C5F	7_2_00406C5F
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Code function: 8_2_00007FFD9B9F6C04	8_2_00007FFD9B9F6C04
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396971C0	9_2_00007FF6396971C0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639694BB0	9_2_00007FF639694BB0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FC334	9_2_00007FF6396FC334
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396A7B30	9_2_00007FF6396A7B30
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639706314	9_2_00007FF639706314
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396992F0	9_2_00007FF6396992F0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396C6AD0	9_2_00007FF6396C6AD0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FA1B0	9_2_00007FF6396FA1B0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396B5990	9_2_00007FF6396B5990
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396BC990	9_2_00007FF6396BC990
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396F9990	9_2_00007FF6396F9990
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6397111E8	9_2_00007FF6397111E8
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63971D1EC	9_2_00007FF63971D1EC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396C2960	9_2_00007FF6396C2960
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396B4140	9_2_00007FF6396B4140
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63971F188	9_2_00007FF63971F188
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63970D18C	9_2_00007FF63970D18C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396A89D0	9_2_00007FF6396A89D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FB4A0	9_2_00007FF6396FB4A0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396BE4D0	9_2_00007FF6396BE4D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FA3B4	9_2_00007FF6396FA3B4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396F9B94	9_2_00007FF6396F9B94
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FCB70	9_2_00007FF6396FCB70
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396EE430	9_2_00007FF6396EE430
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63971F6D4	9_2_00007FF63971F6D4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396A3660	9_2_00007FF6396A3660
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63969F6E0	9_2_00007FF63969F6E0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396F9DA0	9_2_00007FF6396F9DA0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6397165D4	9_2_00007FF6397165D4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639710D54	9_2_00007FF639710D54
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63969B5E0	9_2_00007FF63969B5E0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6397040B0	9_2_00007FF6397040B0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63969A080	9_2_00007FF63969A080
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639706934	9_2_00007FF639706934
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639716850	9_2_00007FF639716850
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FB108	9_2_00007FF6396FB108
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639711868	9_2_00007FF639711868
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639712870	9_2_00007FF639712870
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63970AFBC	9_2_00007FF63970AFBC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396F9FA4	9_2_00007FF6396F9FA4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639706180	9_2_00007FF639706180
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FC76C	9_2_00007FF6396FC76C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF63970E024	9_2_00007FF63970E024
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FB824	9_2_00007FF6396FB824
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF639709F80	9_2_00007FF639709F80
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_00406C5F	12_2_00406C5F
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_00406C5F	13_2_00406C5F
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_6B431BFF	13_2_6B431BFF

Enables driver privileges

Source: C:\Windows\System32\fltMC.exe

Process token adjusted: Load Driver

Enables security privileges

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF639693810 appears 34 times
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF6396AE250 appears 58 times
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF639691DB0 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: String function: 00854231 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: String function: 007C1BE0 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: String function: 00838E31 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: String function: 00839600 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: String function: 008385BF appears 56 times
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: String function: 007F8650 appears 192 times
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: String function: 00838713 appears 374 times
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: String function: 00838DFE appears 111 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6540 -ip 6540

PE file contains executable resources (Code or Archives)

Source: wechat-3.9.7-installer_ae-GFz1.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: installer.exe.6.dr	Static PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 28097920 bytes, 132 files, at 0x2c +A "analyticsmanager.cab" +A "analyticstelemetry.cab", number 1, 988 datablocks, 0x1 compression

Sample file is different than original file name gathered from version info

Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000029E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs wechat-3.9.7-installer_ae-GFz1.exe
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.2236295126.0000000002318000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs wechat-3.9.7-installer_ae-GFz1.exe
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FE35000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs wechat-3.9.7-installer_ae-GFz1.exe
Source: wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000000.1629154676.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs wechat-3.9.7-installer_ae-GFz1.exe

Searches the installation path of Mozilla Firefox

Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\118.0.1 (x64 en-US)\Main Install Directory

Uses 32bit PE files

Source: wechat-3.9.7-installer_ae-GFz1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

query blbeacon for getting browser version

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version			Jump to behavior
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version

Source: RAVEndPointProtection-installer.exe.7.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal48.rans.troj.spyw.evad.winEXE@78/1890@0/21

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	7_2_0040351C
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	12_2_0040351C
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	13_2_0040351C

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe

Code function: 7_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

7_2_004049B1

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: OutputDebugStringW,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,OutputDebugStringW,RegisterServiceCtrlHandlerExW,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,CreateEventW,OutputDebugStringW,GetLastError,SetServiceStatus,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,WaitForSingleObject,OutputDebugStringW,OutputDebugStringW,CloseHandle,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,OutputDebugStringW,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,SetEvent,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

9_2_00007FF6396971C0

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007C4C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

6_2_007C4C8E

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007C5C1E CoCreateInstance,OleRun,

6_2_007C5C1E

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007E5318 GetModuleHandleW,FindResourceW,LoadResource,LockResource,std::ios_base::_Ios_base_dtor,GetModuleHandleW,GetProcAddress,GetCurrentProcess,Concurrency::cancel_current_task,Concurrency::cancel_current_task,SysFreeString,SysFreeString,

6_2_007E5318

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 9_2_00007FF6396971C0 OutputDebugStringW,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,OutputDebugStringW,RegisterServiceCtrlHandlerExW,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,CreateEventW,OutputDebugStringW,GetLastError,SetServiceStatus,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,WaitForSingleObject,OutputDebugStringW,OutputDebugStringW,CloseHandle,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,OutputDebugStringW,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,SetEvent,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

9_2_00007FF6396971C0

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

9_2_00007FF639694BB0

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

File created: C:\Program Files\ReasonLabs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_rsStubExecute
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Mutant created: NULL
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6540
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_03

Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe

File created: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp

Jump to behavior

Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 6024
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%ReasonEDR%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%klekeajafkkpokaofllcadenjdckhinm%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fheoggkfdfchfphceeifdbepaooicaho%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fdhgeoginicibhagdmblfikbgbkahibd%'

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

Source: installer.exe, 00000015.00000003.2284950546.000001EE50616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ParentChild VALUES(?, ?, ?);
Source: installer.exe, 00000015.00000003.2288937766.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2196277192.000001EE50499000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2284950546.000001EE50493000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2213293775.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: installer.exe, 00000015.00000003.2284950546.000001EE50616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM ParentChild;DELETE FROM Settings WHERE ParentID=?;Settings_INDEX_PID_NAMEUPDATE Settings SET SettingName = ? WHERE ParentID = ? AND SettingName = ?;SettingsUPDATE Settings SET SettingType=?, Setting=? WHERE ParentID=? AND SettingName=?;ParentChildINSERT INTO Settings VALUES(?, ?, ?, ?);
Source: installer.exe, 00000015.00000003.2284950546.000001EE50616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE ParentChild SET Name = ? WHERE ParentID = ? AND Name = ?;
Source: installer.exe, 00000015.00000003.2284950546.000001EE50616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE Settings(ParentID INT, SettingName VARCHAR(40), SettingType INT, Setting BLOB);DELETE FROM ParentChild WHERE ParentID=?;
Source: installer.exe, 00000015.00000003.2288937766.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2196277192.000001EE50499000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2284950546.000001EE50493000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2213293775.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: installer.exe, 00000015.00000003.2284950546.000001EE50616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM Settings;CREATE INDEX Settings_INDEX_PID_NAME ON Settings (ParentID ASC, SettingName ASC);

Source: wechat-3.9.7-installer_ae-GFz1.exe

Virustotal: Detection: 20%

Source: cldwur4x.exe	String found in binary or memory: "C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\cldwur4x.ex
Source: Uninstall.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\nsmA848.tmp\
Source: Uninstall.exe	String found in binary or memory: "C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\nsmA848.tmp
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-cs-CZ.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-da-DK.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-en-US.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-es-ES.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-es-MX.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-de-DE.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-el-GR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-hr-HR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-hu-HU.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-it-IT.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fi-FI.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fr-CA.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fr-FR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-nb-NO.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-nl-NL.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pl-PL.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ja-JP.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ko-KR.js
Source: installer.exe	String found in binary or memory: wa-install.css
Source: installer.exe	String found in binary or memory: wa-install.html
Source: installer.exe	String found in binary or memory: wa-ui-install.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sk-SK.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sr-Latn-CS.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pt-BR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pt-PT.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ru-RU.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-zh-TW.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sv-SE.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-tr-TR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-zh-CN.js

Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe

File read: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe "C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe"
Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp "C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp" /SL5="$1040C,837551,832512,C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240601224314&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process created: C:\Users\user\AppData\Local\Temp\cldwur4x.exe "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Process created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe "C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
Source: unknown	Process created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe "C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=RavStub
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe "C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe" /auto-repair=RavStub
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6540 -ip 6540
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Process created: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe "C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe" /auto-repair=RavStub
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6540 -ip 6540
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Process created: C:\Program Files\McAfee\Temp3475153614\installer.exe "C:\Program Files\McAfee\Temp3475153614\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\fltMC.exe "fltmc.exe" load rsKernelEngine
Source: C:\Windows\System32\fltMC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
Source: unknown	Process created: C:\Program Files\McAfee\WebAdvisor\servicehost.exe "C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
Source: unknown	Process created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe "C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\uihost.exe "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
Source: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp "C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp" /SL5="$1040C,837551,832512,C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240601224314&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process created: C:\Users\user\AppData\Local\Temp\cldwur4x.exe "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Process created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe "C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\fltMC.exe "fltmc.exe" load rsKernelEngine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe "C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe" /auto-repair=RavStub
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Process created: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe "C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe" /auto-repair=RavStub
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6540 -ip 6540
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6540 -ip 6540
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Process created: C:\Program Files\McAfee\Temp3475153614\installer.exe "C:\Program Files\McAfee\Temp3475153614\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\uihost.exe "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: unknown unknown
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: unknown unknown
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: apphelp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: urlmon.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: powrprof.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: iertutil.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: srvcli.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: umpdc.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: urlmon.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: powrprof.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: iertutil.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: srvcli.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: umpdc.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: userenv.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: apphelp.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: propsys.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: oleacc.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: shfolder.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: wldp.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: profapi.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: apphelp.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: winhttp.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: userenv.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: msasn1.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: wldp.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: profapi.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: winsta.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: cabinet.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: gpapi.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: webio.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: mswsock.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: winnsi.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: sspicli.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: schannel.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: version.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: windows.staterepositoryps.dll

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

File written: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Automated click: Accept

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Creates a directory in C:\Program Files

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\uninstall.ico	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_100_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_200_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\icudtl.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSES.chromium.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\am.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ar.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bg.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ca.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\cs.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\da.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\de.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\el.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-GB.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-US.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es-419.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\et.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fa.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fil.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\gu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\he.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\id.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\it.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ja.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\kn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ko.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lt.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ml.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\mr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nb.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-BR.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-PT.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ro.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ru.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sw.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\te.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\th.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\tr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\uk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ur.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\vi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-CN.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-TW.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\v8_context_snapshot.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\version	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader_icd.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ARM64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Signatures.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\WhiteList.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.JSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsBridge.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Proxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.JSONInterface.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\uninstall.ico	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EDR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EDR\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EDR\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\amd64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ARM64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\EDR
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\EDR\amd64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\EDR\x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\x64
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\manifest.json
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsClient.Protection.Microphone.dll.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsEngine.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsEngineSvc.exe.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsExtensionHost.exe.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsHelper.exe.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\rsRemediation.exe.config
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\SecurityProductInformation.ini
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\Signatures.dat
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.sig
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\manifest.json
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\WhiteList.dat
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133617854419739262\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\analyticsmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\analyticstelemetry.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\balloon_safe_annotation.png
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\browserhost.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\browserplugin.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\downloadscan.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\eventmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\icon_complete.png
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\icon_failed.png
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\icon_laptop.png
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\installer.exe
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\jquery-1.9.0.min.js
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\l10n.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\logicmodule.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\logicscripts.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\lookupmanager.cab
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Directory created: C:\Program Files\McAfee\Temp3475153614\main_close_large.png

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP

Jump to behavior

PE / OLE file has a valid certificate

Source: wechat-3.9.7-installer_ae-GFz1.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: wechat-3.9.7-installer_ae-GFz1.exe

Static file information: File size 1771256 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: wechat-3.9.7-installer_ae-GFz1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: rsAtom.pdb source: cldwur4x.exe, 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2814717721.00000220FEB42000.00000002.00000001.01000000.0000003A.sdmp, Uninstall.exe, 0000000D.00000003.2030874846.000000000274A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\ServiceHost.pdbu source: installer.exe, 00000015.00000003.2279804803.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsWSC.pdb source: rsWSC.exe, 00000023.00000000.2377819043.0000013169FE2000.00000002.00000001.01000000.00000023.sdmp, rsWSC.exe, 00000023.00000002.2391526354.00000131000A0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\SettingManager.pdb source: installer.exe, 00000015.00000003.2284950546.000001EE50616000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\WebAdvisor-accesslib-caller_main@2\Build\x64\Release\caller_dll.pdb source: installer.exe, 00000015.00000000.2184712865.00007FF7F5BD2000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: component0.exe, 00000003.00000000.1901418219.0000022CF9882000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: rsTime.pdb source: cldwur4x.exe, 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2035288824.0000000002746000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1@2\build\Win32\Release\Resource.pdbGCTL source: installer.exe, 00000015.00000003.2275014753.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\BrowserHost.pdbe source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\LogicModule.pdb source: installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\non_system\code\WebAdvisor-ISGIS\build\x64\Release\Installer.pdb$ source: installer.exe, 00000012.00000002.2429013846.00007FF62C89B000.00000002.00000001.01000000.0000001A.sdmp, installer.exe, 00000012.00000000.2140165890.00007FF62C89B000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1@2\build\Win32\Release\Resource.pdb source: installer.exe, 00000015.00000003.2275014753.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\RavStub\obj\Release\RavStub.pdb source: cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 00000009.00000002.1991906507.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 00000009.00000000.1989460441.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000B.00000000.1991099416.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000B.00000002.2881117473.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, Uninstall.exe, 0000000D.00000003.2036725160.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\x64\Release\ArchiveUtility.pdb source: cldwur4x.exe, 00000007.00000003.1941104405.000000000275F000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2017575775.000000000274C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\ServiceHost.pdb source: installer.exe, 00000015.00000003.2279804803.000001EE5049C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdbHG source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsServiceController.pdb source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\TaskManager.pdb source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: cldwur4x.exe, 00000007.00000003.1947303929.0000000002756000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2806047428.00000220FE8D2000.00000002.00000001.01000000.00000037.sdmp, Uninstall.exe, 0000000D.00000003.2034651192.0000000002745000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\TaskManager.pdb{ source: installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2816590508.00000220FEBF2000.00000002.00000001.01000000.0000003B.sdmp, Uninstall.exe, 0000000D.00000003.2018820324.000000000274C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\BrowserHost.pdb source: installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\non_system\code\WebAdvisor-ISGIS\build\x64\Release\Installer.pdb source: installer.exe, 00000012.00000002.2429013846.00007FF62C89B000.00000002.00000001.01000000.0000001A.sdmp, installer.exe, 00000012.00000000.2140165890.00007FF62C89B000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\UIHost.pdb source: installer.exe, 00000015.00000003.2297053110.000001EE5049E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsDatabase.pdb source: cldwur4x.exe, 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: cldwur4x.exe, 00000007.00000003.1944063171.000000000275A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2029522577.0000000002749000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000006.00000000.1925610612.000000000087E000.00000002.00000001.01000000.0000000D.sdmp, saBSI.exe, 00000006.00000002.2499426343.000000000087E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\Installer.pdb source: installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\LookupManager.pdb source: installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\WATaskManager.pdb] source: servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb@ source: cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: cldwur4x.exe, 00000007.00000003.1943453787.000000000275B000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2027474805.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsLogger.pdb source: cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2807618602.00000220FE912000.00000002.00000001.01000000.00000038.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208072E000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2033491650.000000000274A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\UIHost.pdbu source: installer.exe, 00000015.00000003.2297053110.000001EE5049E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: cldwur4x.exe, 00000007.00000003.1942704932.000000000275B000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2816590508.00000220FEBF2000.00000002.00000001.01000000.0000003B.sdmp, Uninstall.exe, 0000000D.00000003.2018820324.000000000274C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\EventManager.pdb source: installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdb source: cldwur4x.exe, 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208056A000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2813307929.00000220FEB02000.00000002.00000001.01000000.00000039.sdmp, Uninstall.exe, 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: cldwur4x.exe, 00000007.00000003.1948992026.000000000275D000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 00000009.00000002.1991906507.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 00000009.00000000.1989460441.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000B.00000000.1991099416.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000B.00000002.2881117473.00007FF639727000.00000002.00000001.01000000.00000012.sdmp, Uninstall.exe, 0000000D.00000003.2036725160.0000000002744000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsLogger.pdbx source: cldwur4x.exe, 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2807618602.00000220FE912000.00000002.00000001.01000000.00000038.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208072E000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2033491650.000000000274A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\AnalyticsManager.pdb source: installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\LookupManager.pdbG source: installer.exe, 00000015.00000003.2256518886.000001EE504BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\x64\Release\WATaskManager.pdb source: servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: is-77RM8.tmp.1.dr

Static PE information: 0xA024B15D [Sat Feb 20 18:01:01 2055 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_00802B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,

6_2_00802B30

PE file contains an invalid checksum

Source: wechat-3.9.7-installer_ae-GFz1.tmp.0.dr	Static PE information: real checksum: 0x31e124 should be: 0x3174f1
Source: System.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x39be
Source: wechat-3.9.7-installer_ae-GFz1.exe	Static PE information: real checksum: 0x1b5901 should be: 0x1b3740
Source: cldwur4x.exe.3.dr	Static PE information: real checksum: 0x1e9d3e should be: 0x1ec0ef
Source: is-77RM8.tmp.1.dr	Static PE information: real checksum: 0x15863 should be: 0x185c5

PE file contains sections with non-standard names

Source: wechat-3.9.7-installer_ae-GFz1.exe	Static PE information: section name: .didata
Source: wechat-3.9.7-installer_ae-GFz1.tmp.0.dr	Static PE information: section name: .didata
Source: saBSI.exe.1.dr	Static PE information: section name: .didat
Source: installer.exe.6.dr	Static PE information: section name: _RDATA
Source: ArchiveUtilityx64.dll.7.dr	Static PE information: section name: _RDATA

Registers a DLL

Source: C:\Program Files\McAfee\Temp3475153614\installer.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Code function: 1_2_0019C457 push ecx; retf	1_2_0019C458
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Code function: 1_2_0019BD6C push eax; ret	1_2_0019BD6D
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00838DDB push ecx; ret	6_2_00838DEE
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00867CFD push ecx; ret	6_2_00867D12
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_6B4330C0 push eax; ret	13_2_6B4330EE

Source: RAVEndPointProtection-installer.exe.7.dr

Static PE information: section name: .text entropy: 7.672717019783964

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ru-RU\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Xml.XPath.XDocument.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.JSONInterface.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\hr-HR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.InteropServices.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Security.SecureString.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Threading.Tasks.Parallel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Collections.NonGeneric.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Text.RegularExpressions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Resources.Reader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.Pipes.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Globalization.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Threading.ThreadPool.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\sl\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\rsEngine.Utilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pt\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0 (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\da-DK\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.Sockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8CEF.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\vi-VN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\fil-PH\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Security.Principal.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Xml.XmlSerializer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ATY5CJG3\rsServiceController.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tr-TR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.NameResolution.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	File created: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Linq.Queryable.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Contracts.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\OSExtensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\th-TH\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.CompilerServices.VisualC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\nl-NL\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Console.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Tools.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.TypeConverter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.Compression.ZipFile.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Collections.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pl-PL\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\el-GR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Encoding.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\sk-SK\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pt-PT\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ko-KR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\zh-TW\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Dynamic.Runtime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\System32\drivers\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Threading.Tasks.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\hi-IN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Reflection.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	File created: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ZMMW8FDC\rsLogger.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.Ping.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\amd64\vcruntime140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\is-77RM8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\SQLite.Interop.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\nb-NO\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Globalization.Calendars.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsBridge.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Formatters.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Threading.Timer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\rsAtom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Xml.ReaderWriter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Tracing.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\System32\drivers\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\netstandard.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.CompilerServices.Unsafe.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Threading.Overlapped.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Csp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ro-RO\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Linq.Parallel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.MemoryMappedFiles.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\rsJSON.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Algorithms.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\System32\drivers\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.DriveInfo.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Reflection.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\cs-CZ\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Security.Claims.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Drawing.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\KRK4DVBJ\rsJSON.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.AppContext.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\sl-SI\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Threading.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\amd64\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\de-DE\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.WebHeaderCollection.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.InteropServices.RuntimeInformation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.NetworkInformation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\TraceReloggerLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\zh-CN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Process.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.WebSockets.Client.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Reflection.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.Watcher.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Resources.ResourceManager.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.X509Certificates.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Data.SQLite.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\rsEngine.JSON.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.Numerics.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\id-ID\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Globalization.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.ObjectModel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.Http.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\rsEngine.Loggers.Application.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.UnmanagedMemoryStream.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.Requests.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Linq.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Threading.Thread.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\UDOOGFD5\rsAtom.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.TextWriterTraceListener.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\amd64\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\rsEDRLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\it-IT\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\K0L2UM4E\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.TraceSource.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\hu-HU\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.Compression.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\Microsoft.Win32.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Linq.Expressions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.FastSerialization.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Data.Common.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pt-BR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.IO.IsolatedStorage.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Xml.XPath.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Text.Encoding.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.FileVersionInfo.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Xml.XDocument.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\sv-SE\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ja-JP\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\es-ES\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.EventBasedAsync.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Xml.XmlDocument.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.ValueTuple.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Collections.Specialized.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\fi-FI\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Proxy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\amd64\msdia140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Debug.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Text.Encoding.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.Handles.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Collections.Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\Dia2Lib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Net.Security.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\amd64\KernelTraceControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.StackTrace.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\fr-FR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.JSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\System.Resources.Writer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EDR\rsEngine.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\System32\drivers\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\System32\drivers\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Windows\System32\drivers\rsCamFilter020502.sys	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RAVEndPointProtection-installer.exe.log	Jump to behavior
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	File created: C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	File created: C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-cs-CZ.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-da-DK.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-de-DE.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-el-GR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-en-US.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-es-ES.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-es-MX.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-fi-FI.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-fr-CA.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-fr-FR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-hr-HR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-hu-HU.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-it-IT.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-ja-JP.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-ko-KR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-nb-NO.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-nl-NL.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-pl-PL.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-pt-BR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-pt-PT.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-ru-RU.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-sk-SK.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-sr-Latn-CS.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-sv-SE.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-tr-TR.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-zh-CN.txt
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp3475153614\jslang\eula-zh-TW.txt

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\rundll32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	File created: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	File created: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\Microsoft.Win32.TaskScheduler.dll

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rsCamFilter020502

Jump to behavior

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

9_2_00007FF6396971C0

Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe

File opened: C:\Program Files\ReasonLabs\EPP\Uninstall.exe:Zone.Identifier read attributes | delete

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007F0540 EnterCriticalSection,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LeaveCriticalSection,

6_2_007F0540

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Memory allocated: 22CF9D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Memory allocated: 22CFB530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Memory allocated: 220FC780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Memory allocated: 220FE210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Memory allocated: 1DCAA250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Memory allocated: 1DCC3A60000 memory reserve \| memory write watch
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Memory allocated: 1316A340000 memory reserve \| memory write watch
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Memory allocated: 1316BCC0000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 13031420000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 12831140000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 12831160000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 130319A0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 130319E0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 13031A80000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 13041C70000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 13042530000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 13042620000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 13042720000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Memory allocated: 25A57270000 memory reserve \| memory write watch
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Memory allocated: 25A6F7F0000 memory reserve \| memory write watch
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Memory allocated: 2BC3FA90000 memory reserve \| memory write watch
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Memory allocated: 2BC593A0000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007C4C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

6_2_007C4C8E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Window / User API: threadDelayed 4562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Window / User API: threadDelayed 5184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Window / User API: threadDelayed 3892
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Window / User API: threadDelayed 5873
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Window / User API: threadDelayed 392

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\taskmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ru-RU\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XPath.XDocument.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.JSONInterface.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\hr-HR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\fr-FR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.InteropServices.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\el-GR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\hi-IN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.SecureString.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Tasks.Parallel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Collections.NonGeneric.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Text.RegularExpressions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\ko-KR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Resources.Reader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.Pipes.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Globalization.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.ThreadPool.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\sl\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsEngine.Utilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pt\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\it-IT\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\da-DK\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133617854419739262\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Sockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\nl-NL\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8CEF.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\vi-VN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\fil-PH\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Principal.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\zh-TW\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\da-DK\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XmlSerializer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ATY5CJG3\rsServiceController.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\sk-SK\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tr-TR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.NameResolution.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\sv-SE\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133617854419739262\ARM64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrA818.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Linq.Queryable.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Contracts.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\zh-CN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\OSExtensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\tr-TR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\th-TH\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.CompilerServices.VisualC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\nl-NL\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Tools.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Console.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.Compression.ZipFile.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.TypeConverter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Collections.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pl-PL\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\el-GR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Encoding.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\th-TH\RavStub.resources.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\x64\downloadscan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\sk-SK\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\fi-FI\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pt-PT\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ko-KR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\zh-TW\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Dynamic.Runtime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\fil-PH\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Tasks.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\hi-IN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\vi-VN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Reflection.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\sl-SI\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\de-DE\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\ru-RU\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ZMMW8FDC\rsLogger.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Ping.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\amd64\vcruntime140_1.dll (copy)	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\uimanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\SQLite.Interop.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\ja-JP\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\nb-NO\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Globalization.Calendars.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsBridge.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Formatters.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Timer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.ReaderWriter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsAtom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\logicmodule.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Tracing.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\netstandard.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.CompilerServices.Unsafe.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Overlapped.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Csp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ro-RO\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Linq.Parallel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\win32\wssdep.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\es-ES\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.MemoryMappedFiles.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsJSON.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Algorithms.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiA9AF.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.DriveInfo.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Reflection.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\cs-CZ\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Claims.dll (copy)	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\lookupmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\Temp3475153614\resource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Drawing.Primitives.dll (copy)	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\win32\downloadscan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\KRK4DVBJ\rsJSON.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.AppContext.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\sl-SI\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\amd64\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\pt\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\de-DE\RavStub.resources.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\uninstaller.exe	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\settingmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebHeaderCollection.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.InteropServices.RuntimeInformation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.NetworkInformation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\TraceReloggerLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\zh-CN\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Process.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebSockets.Client.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Reflection.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.Watcher.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.X509Certificates.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Resources.ResourceManager.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\x64\SQLite.Interop.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Data.SQLite.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\id-ID\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsEngine.JSON.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Numerics.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\id-ID\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\hu-HU\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Globalization.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ObjectModel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\pt-BR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Http.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Requests.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsEngine.Loggers.Application.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.UnmanagedMemoryStream.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Thread.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Linq.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\UDOOGFD5\rsAtom.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.TextWriterTraceListener.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\amd64\vcruntime140.dll (copy)	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mwaED6D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsEDRLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\K0L2UM4E\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.TraceSource.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\it-IT\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\cs-CZ\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\hu-HU\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.Compression.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\nb-NO\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Microsoft.Win32.Primitives.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Linq.Expressions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\pl-PL\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.FastSerialization.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Data.Common.dll (copy)	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\browserhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\pt-BR\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.IsolatedStorage.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XPath.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133617854419739262\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Text.Encoding.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.FileVersionInfo.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XDocument.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\sv-SE\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\ja-JP\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133617854419739262\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\es-ES\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\sl\RavStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\analyticsmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XmlDocument.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.EventBasedAsync.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ValueTuple.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

API coverage: 4.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp TID: 6688	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp TID: 6708	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe TID: 6572	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe TID: 5660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe TID: 1312	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe TID: 4080	Thread sleep count: 4562 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe TID: 4080	Thread sleep count: 5184 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe TID: 4228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe TID: 6876	Thread sleep count: 41 > 30
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe TID: 6876	Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe TID: 4828	Thread sleep count: 3892 > 30
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe TID: 4828	Thread sleep count: 5873 > 30
Source: C:\Program Files\McAfee\Temp3475153614\installer.exe TID: 1220	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe TID: 6164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe TID: 6712	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe TID: 280	Thread sleep count: 392 > 30
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe TID: 6324	Thread sleep count: 105 > 30
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe TID: 3844	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp FullSizeInformation			Jump to behavior
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_00405C4D
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_0040689E FindFirstFileW,FindClose,	7_2_0040689E
Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	Code function: 7_2_00402930 FindFirstFileW,	7_2_00402930
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	12_2_00405C4D
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_0040689E FindFirstFileW,FindClose,	12_2_0040689E
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 12_2_00402930 FindFirstFileW,	12_2_00402930
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	13_2_00405C4D
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_0040689E FindFirstFileW,FindClose,	13_2_0040689E
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	Code function: 13_2_00402930 FindFirstFileW,	13_2_00402930

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_00822782 VirtualQuery,GetSystemInfo,

6_2_00822782

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp	Jump to behavior

Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.b
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2808401651.00000220FE99F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000AC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://images.sftcdn.net/images/t_app-icon-s,f_jpg,w_100,c_scale/p/ef5b43e0-99eb-11e6-8b29-00163ec9f5fa/324590374/wechat-logo.pngc\",\"4\":\"Softonic_DLM\",\"5\":\"\",\"18\":\"\",\"19\":\"\",\"21\":\"\",\"22\":\"\",\"6\":\"1\",\"7\":\"2.40.0.8866\",\"15\":0,\"22\":\"\",\"10\":1}"}oftonic.com/privacy-policy","ctu":"https://hello.softonic.com/terms-of-use","cl":"https://images.sftcdn.net/images/t_app-icon-s,f_jpg,w_100,c_scale/p/ef5b43e0-99eb-11e6-8b29-00163ec9f5fa/324590374/wechat-logo.png","ch":"SEM\|EN_UK_DSA\|paid","ca":"v5.83","cf":"wechat-3.9.7-installer.exe","cpi":"","cps":"","cd":"","cpr":"","cpp":"","cfl":"Shlishi21May10","cj":"+1","cb":"ch","cod":"","ctp":"","cep":""},"f":{"m":2,"x":"2024-11-06T02:42:14.602Z","a":"fa70","d":"46"},"o":[{"ad":{"n":"","f":"ZB_RAV_Cross_Solo_Soft","o":"RAV_Cross"},"ps":{"i":"RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.png","dn":"RAV Antivirus","u":"https://shield.reasonsecurity.com/rsStubActivator.exe","p":"-ip:\"dui={userid}&dit={sessionid}&is_silent=true&oc={of}&p={pubid}&a=100&b={ispb}&se=true\" -i","r":["ReasonUP","RAVAntivirus","Reason\\Reason Antivirus","ReasonLabs\\EPP","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-EPP","VMware, Inc."],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"cmdu":[{"utr":"HKEY_CLASSES_ROOT","
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Microsoft Hyper-V Guest Infrastructure Driver
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Microsoft Hyper-V Virtual PCI Bus
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[p
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Microsoft Hyper-V Generation Counter
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1950985232.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.1941298641.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2500277987.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Driver
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Microsoft Hyper-V VHDPMEM BTT Filter
Source: RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %Microsoft Hyper-V Storage Accelerator
Source: component0.exe, 00000003.00000002.2865632923.0000022CF9A42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2{"v":"0.1","l":"US","i":{"cu":"https://gsf-fl.softonic.com/361/738/abda546ab2fc780789a74d376a5f1f4ceb/WeChatSetup.exe?Expires=1717169192&Signature=a1b2e1fb37cfd75df9c990a1d13923f9be834f58&url=https://wechat.en.softonic.com&Filename=WeChatSetup.exe","ct":"WeChat","cp":"https://hello.softonic.com/privacy-policy","ctu":"https://hello.softonic.com/terms-of-use","cl":"https://images.sftcdn.net/images/t_app-icon-s,f_jpg,w_100,c_scale/p/ef5b43e0-99eb-11e6-8b29-00163ec9f5fa/324590374/wechat-logo.png","ch":"SEM\|EN_UK_DSA\|paid","ca":"v5.83","cf":"wechat-3.9.7-installer.exe","cpi":"","cps":"","cd":"","cpr":"","cpp":"","cfl":"Shlishi21May10","cj":"+1","cb":"ch","cod":"","ctp":"","cep":""},"f":{"m":2,"x":"2024-11-06T02:42:14.602Z","a":"fa70","d":"46"},"o":[{"ad":{"n":"","f":"ZB_RAV_Cross_Solo_Soft","o":"RAV_Cross"},"ps":{"i":"RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.png","dn":"RAV Antivirus","u":"https://shield.reasonsecurity.com/rsStubActivator.exe","p":"-ip:\"dui={userid}&dit={sessionid}&is_silent=true&oc={of}&p={pubid}&a=100&b={ispb}&se=true\" -i","r":["ReasonUP","RAVAntivirus","Reason\\Reason Antivirus","ReasonLabs\\EPP","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-EPP","VMware, Inc."],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"cmdu":[{"utr":"HKEY_CLASSES_ROOT","utk":"ReasonPersistentStorage","utvn":"AvUninstallTime","utvt":"SZ","umd":30,"utms":true}],"cp":"https://reasonlabs.com/rav_online_security_policies","ctu":"https://reasonlabs.com/policies","win64":true,"pv":"1.26","disk":250,"fe":["{commonpf64}\\ReasonLabs\\EPP\\InstallerLib.dll","{commonpf64}\\RAVAntiviru

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_008570B4 IsDebuggerPresent,OutputDebugStringW,

6_2_008570B4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007D5110 RegOpenKeyExW,RegQueryValueExW,SetLastError,RegCloseKey,RegCloseKey,GetLastError,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,LoadLibraryExW,GetLastError,

6_2_007D5110

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007C4C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

6_2_007C4C8E

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_00867BC0 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

6_2_00867BC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_00802B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,

6_2_00802B30

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0084E8FE mov eax, dword ptr fs:[00000030h]	6_2_0084E8FE
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00857CAE mov eax, dword ptr fs:[00000030h]	6_2_00857CAE
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00857CF2 mov eax, dword ptr fs:[00000030h]	6_2_00857CF2
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00857C6A mov eax, dword ptr fs:[00000030h]	6_2_00857C6A
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00857D23 mov eax, dword ptr fs:[00000030h]	6_2_00857D23

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_007C463F GetProcessHeap,

6_2_007C463F

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Process token adjusted: Debug
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process token adjusted: Debug
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Process token adjusted: Debug
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Process token adjusted: Debug
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Process token adjusted: Debug
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00839018 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00839018
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_008393F2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_008393F2
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_0083D453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0083D453
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: 6_2_00839586 SetUnhandledExceptionFilter,	6_2_00839586
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396F2A10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00007FF6396F2A10
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 9_2_00007FF6396FE3BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF6396FE3BC

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240601224314&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Process created: C:\Users\user\AppData\Local\Temp\cldwur4x.exe "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\fltMC.exe "fltmc.exe" load rsKernelEngine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6540 -ip 6540
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6540 -ip 6540
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: unknown unknown
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: unknown unknown

Source: runonce.exe, 0000001A.00000002.2358861262.0000024B029F8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ndows Progman Group Converterh$

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_00839215 cpuid

6_2_00839215

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_008545DA
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_0085C9ED
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_0085C907
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_0085C952
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0085CA80
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_0085CCE0
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_0085CE06
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_0085CFDB
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_0085CF0C
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: GetLocaleInfoEx,	6_2_00837E28
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00853F6D
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoW,	9_2_00007FF639710258
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,	9_2_00007FF6396F1AEC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	9_2_00007FF63971C1B8
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00007FF63971CA1C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLocaleInfoEx,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	9_2_00007FF6396A89D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	9_2_00007FF63970FCC0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,	9_2_00007FF6396A9C90
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	9_2_00007FF63971C514
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00007FF63971CC00
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,	9_2_00007FF6396BFC30
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	9_2_00007FF63971C5E4

Queries the product ID of Windows

Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\mainlogo.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\RAV_Cross.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\WebAdvisor.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsStubLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsLogger.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsJSON.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsAtom.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\Microsoft.Win32.TaskScheduler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\733c2c1e\00b6d669_67a7da01\rsStubLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsJSON.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\6b65cc86\2a1aa49d_96b4da01\rsJSON.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsLogger.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\536788ce\da05b09d_96b4da01\rsLogger.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsAtom.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\dca1e082\b570f89c_96b4da01\rsAtom.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\72fcb629\63f1bb9d_96b4da01\rsServiceController.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsLogger.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsJSON.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsAtom.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\Microsoft.Win32.TaskScheduler.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsWSC.exe VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsWSC.exe VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll VolumeInformation

Queries time zone information

Source: C:\Windows\System32\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Code function: 6_2_00854619 GetSystemTimeAsFileTime,

6_2_00854619

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 9_2_00007FF6397165D4 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

9_2_00007FF6397165D4

Source: C:\Users\user\AppData\Local\Temp\cldwur4x.exe

Code function: 7_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

7_2_0040351C

Source: C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220957eb6d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.0.rsEngineSvc.exe.2bc3f700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.rsEngineSvc.exe.2bc412d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220feb40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220fe910000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220feb00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.rsWSC.exe.13169fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.rsEngineSvc.exe.2bc41310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220957eb6d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.rsEngineSvc.exe.2bc5a9d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2437605904.000002BC41312000.00000002.00000001.01000000.00000034.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2807618602.00000220FE912000.00000002.00000001.01000000.00000038.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.2377819043.0000013169FE2000.00000002.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2541457093.00000220952CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2437311674.000002BC412D2000.00000002.00000001.01000000.00000033.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2813307929.00000220FEB02000.00000002.00000001.01000000.00000039.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.2419994897.000002BC3F702000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2437962183.000002BC413EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2506176810.000002208072E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2445270867.000002BC5A9D2000.00000002.00000001.01000000.00000035.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2030874846.000000000274A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2035288824.0000000002746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2033491650.000000000274A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2814717721.00000220FEB42000.00000002.00000001.01000000.0000003A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ATY5CJG3\rsServiceController.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\UDOOGFD5\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\KRK4DVBJ\rsJSON.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.JSONInterface.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsBridge.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.JSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ZMMW8FDC\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Proxy.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe	File opened: C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220957eb6d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.0.rsEngineSvc.exe.2bc3f700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.rsEngineSvc.exe.2bc412d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220feb40000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220fe910000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220feb00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.rsWSC.exe.13169fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.rsEngineSvc.exe.2bc41310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RAVEndPointProtection-installer.exe.220957eb6d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.rsEngineSvc.exe.2bc5a9d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2437605904.000002BC41312000.00000002.00000001.01000000.00000034.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2807618602.00000220FE912000.00000002.00000001.01000000.00000038.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.2377819043.0000013169FE2000.00000002.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2541457093.00000220952CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2437311674.000002BC412D2000.00000002.00000001.01000000.00000033.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2813307929.00000220FEB02000.00000002.00000001.01000000.00000039.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.2419994897.000002BC3F702000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2437962183.000002BC413EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2031530548.0000000002749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2506176810.000002208072E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2445270867.000002BC5A9D2000.00000002.00000001.01000000.00000035.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2032710312.0000000002744000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2030874846.000000000274A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2035288824.0000000002746000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2033491650.000000000274A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2814717721.00000220FEB42000.00000002.00000001.01000000.0000003A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ATY5CJG3\rsServiceController.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\UDOOGFD5\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\KRK4DVBJ\rsJSON.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.JSONInterface.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsBridge.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.JSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\ZMMW8FDC\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Proxy.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Utilities.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
1 Software	Acquire Infrastructure	1 Valid Accounts	11 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	21 Disable or Modify Tools	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	2 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	58 System Information Discovery	SMB/Windows Admin Shares	1 Data from Local System	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	34 Windows Service	11 Access Token Manipulation	2 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	1 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	12 Service Execution	11 Scheduled Task/Job	34 Windows Service	1 Timestomp	LSA Secrets	61 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	11 Registry Run Keys / Startup Folder	12 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	11 Scheduled Task/Job	43 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	11 Registry Run Keys / Startup Folder	1 Valid Accounts	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	51 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	12 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Files and Directories	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Regsvr32	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	1 Rundll32	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wechat-3.9.7-installer_ae-GFz1.exe	12%	ReversingLabs
wechat-3.9.7-installer_ae-GFz1.exe	20%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files\McAfee\Temp3475153614\installer.exe	0%	ReversingLabs
C:\Program Files\McAfee\Temp3475153614\installer.exe	0%	Virustotal	Browse
C:\Program Files\McAfee\Temp3475153614\resource.dll	0%	ReversingLabs
C:\Program Files\McAfee\Temp3475153614\resource.dll	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll	0%	ReversingLabs
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll	0%	ReversingLabs
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll	0%	ReversingLabs
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll	0%	ReversingLabs
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe	0%	ReversingLabs
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll	0%	ReversingLabs
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll	0%	ReversingLabs
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	0%	ReversingLabs
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\EDR\Dia2Lib.dll (copy)	0%	ReversingLabs
C:\Program Files\ReasonLabs\EDR\Dia2Lib.dll (copy)	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.FastSerialization.dll (copy)	0%	ReversingLabs
C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.FastSerialization.dll (copy)	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll (copy)	0%	ReversingLabs
C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll (copy)	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\EDR\Microsoft.Win32.Primitives.dll (copy)	0%	ReversingLabs
C:\Program Files\ReasonLabs\EDR\Microsoft.Win32.Primitives.dll (copy)	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\EDR\OSExtensions.dll (copy)	0%	ReversingLabs
C:\Program Files\ReasonLabs\EDR\OSExtensions.dll (copy)	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\EDR\SQLite.Interop.dll (copy)	0%	ReversingLabs
C:\Program Files\ReasonLabs\EDR\SQLite.Interop.dll (copy)	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\EDR\System.AppContext.dll (copy)	0%	ReversingLabs
C:\Program Files\ReasonLabs\EDR\System.AppContext.dll (copy)	0%	Virustotal	Browse
C:\Program Files\ReasonLabs\EDR\System.Collections.Concurrent.dll (copy)	0%	ReversingLabs
C:\Program Files\ReasonLabs\EDR\System.Collections.Concurrent.dll (copy)	0%	Virustotal	Browse

Name	Source	Malicious
https://shield.reasonsecurity.com/ReasonLabs-DNS-se	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-s	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://www.reasonsecurity.	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://config.r	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://logziop.reasonsec	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=tr	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.datacontract.org	rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.ex	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://ud-beta.reasonsecurity	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://config.reaso	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&p	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://ud-beta.reasonsecurit	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
http://www.chambersign.org1	rsWSC.exe, 00000023.00000002.2399301928.000001316C7CF000.00000004.00000020.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/en-us/p	wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	false
https://shield-dev.reas	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/search?fr=mcasa&type=E170CH91088G0&p=	servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://track.analytics-data.	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	rsWSC.exe, 00000023.00000002.2399301928.000001316C7D3000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.ssc.lt/root-c/cacrl.crl0	rsWSC.exe, 00000023.00000002.2399645841.000001316C80F000.00000004.00000020.00020000.00000000.sdmp	false
https://update-beta.reasonsecurity.com/v2/	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://ch.search.yahoo.com/search?fr=mcafee&type=E580CH91088G0&p=	servicehost.exe, 00000025.00000003.2452440832.0000013031838000.00000004.00000020.00020000.00000000.sdmp	false
https://comipass.reasonsecurity	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://update-beta.reasonsecurity	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://www.reasonsecurity.c	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://sadownload.mcafee.com/products/sa/bsi/win/binary/	saBSI.exe, 00000006.00000003.2015109896.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2473044728.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2137581289.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053470694.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2485441210.00000000055DF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2027977822.00000000055DF000.00000004.00000020.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/v/wa-how.htmlR	regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/Re	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.datacontract.org/2004/07/System.ServiceProcess	rsWSC.exe, 00000023.00000002.2391526354.0000013100113000.00000004.00000800.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oi	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://update.reasonse	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://track.analytics	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://update-beta.rea	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://wechat.en.softonic.com&Filename=WeChatSetup.exe	wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000075B4000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000075C2000.00000004.00001000.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/v/wa-how.htmlL	servicehost.exe, 00000025.00000002.2896923575.000001283100D000.00000004.00000020.00020000.00000000.sdmp	false
https://logziop.reasonsecurity.c	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://www.innosetup.com/	wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1631925978.00000000026F0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.exe, 00000000.00000003.1635080518.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000000.1636976723.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false
https://shield.reasonsecur	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-VPN-setup	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/mozilla-services/screenshots	servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	false
https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_	cldwur4x.exe, 00000007.00000003.1940299909.0000000002752000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000000.1974700588.00000220FC4D2000.00000002.00000001.01000000.00000011.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.000002208002B000.00000004.00000800.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	false
https://sadownload.mcafee.com/CC	servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	false
https://update-beta.reasonsecurity.	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-VPN-setu	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://track.analytic	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/v/wa-how.htmlq	regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false
https://www.mcafee.com/consu	wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	false
https://update.reaso	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/Rea	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonse	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://update-beta.re	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://config-beta.r	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/v/wa-how.htmlj	saBSI.exe, 00000006.00000002.2500277987.0000000002E1D000.00000004.00000020.00020000.00000000.sdmp	false
https://d2dbdb0phbn9qb.cloudfront.net/f/RAV/images/ZB_RAV_Bisli_Logo_bcg_V2/DOTPS-588/EN.pngp&	wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&pt	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://config.rea	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://update-beta.reasonsecur	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://www.reasonsecurity.com/X	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://update.reasonsecurity.com/	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.e	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://www.google.com/favicon.ico	installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2213293775.000001EE50606000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2190170982.000001EE50498000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2241432639.000001EE505DA000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	false
https://config.re	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://update-beta.reason	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/v/wa-how.htmlX	regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&i	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-DNS-setu	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://ud.rea	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://update.reasonsecurity.com/v2/upd	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://d2dbdb0phbn9qb.cloudfront.net/zbd	wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2221871373.00000000053D2000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2227889874.00000000074ED000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2215944559.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	false
https://update.reasonsecurity.com/v2/up	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://update.reasons	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield-dev.reasonsecurity.com/ReasonLabs-VPN-set	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://ud.reas	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://config-beta.reasonsecuri	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://electron-shell.reasonsecurity.com	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080131000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABB7C000.00000004.00000800.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/en-us/policy/legal.htmlz;	wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A59000.00000004.00000020.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/en-us/policy/legal.html7	wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000002.2210584480.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695379542.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	false
https://update.reasonsecurity.com/v2/	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://update.reasonsecurity.com/v2/live	rsSyncSvc.exe, 0000000B.00000002.2876299769.0000018992E00000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000003.2015136920.0000000002742000.00000004.00000020.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000011.00000002.2893798547.000001DCABA8B000.00000004.00000800.00020000.00000000.sdmp	false
https://ud.r	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://config.reasonsecurity.	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://sadownload.mcafee.com/products/saY0	servicehost.exe, 00000025.00000002.2893559599.0000012830357000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000003.2389558951.000001283035F000.00000004.00000020.00020000.00000000.sdmp	false
https://sadownload.mcafee.com/EB	servicehost.exe, 00000025.00000002.2914529753.0000013041D64000.00000004.00000020.00020000.00000000.sdmp	false
https://sadownload.mcafee.com/products/SA/v1/bsi	saBSI.exe, 00000006.00000003.2486133896.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2122780803.00000000055C2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2485866665.00000000055C0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2015109896.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2027977822.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2131499733.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2053115287.00000000055C5000.00000004.00000020.00020000.00000000.sdmp	false
https://www.mcafee.com/consumer/v/wa-how.htmlu	regsvr32.exe, 00000026.00000003.2384519087.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false
https://.servicebus.windows.net/&se=&skn=Failed	installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp	false
https://www.google.com/search?q=%s	installer.exe, 00000015.00000003.2196277192.000001EE50555000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, servicehost.exe, 00000025.00000002.2918576300.00007FFDEF5D6000.00000002.00000001.01000000.00000032.sdmp	false
http://home.mcafee.com/SaveEulaTrackingDetailsHost:	installer.exe, 00000015.00000003.2288937766.000001EE50574000.00000004.00000020.00020000.00000000.sdmp, installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp	false
https://config-beta.reaso	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://www.mcafee.com/consum	wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1732786492.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, wechat-3.9.7-installer_ae-GFz1.tmp, 00000001.00000003.1695287864.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp	false
https://update.reason	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonL	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp, RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe?oip=26&dta=true&ptl=7&i	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.0000022080622000.00000004.00000800.00020000.00000000.sdmp	false
https://ud.reasonsecurity.c	RAVEndPointProtection-installer.exe, 00000008.00000002.2506176810.00000220805C9000.00000004.00000800.00020000.00000000.sdmp	false
https://analytics.qa.apis.mcafee.comhttps://analytics.apis.mcafee.comContent-Type:	installer.exe, 00000015.00000000.2183633089.00007FF7F5B46000.00000002.00000001.01000000.0000001B.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
44.240.167.6	unknown	United States	16509	AMAZON-02US	false
2.16.164.104	unknown	European Union	20940	AKAMAI-ASN1EU	false
18.66.102.77	unknown	United States	3	MIT-GATEWAYSUS	false
3.214.3.211	unknown	United States	14618	AMAZON-AESUS	false
13.89.179.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.22.242.105	unknown	European Union	20940	AKAMAI-ASN1EU	false
151.101.1.91	unknown	United States	54113	FASTLYUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.21.226	unknown	United States	13335	CLOUDFLARENETUS	false
13.224.189.78	unknown	United States	16509	AMAZON-02US	false
18.172.112.22	unknown	United States	3	MIT-GATEWAYSUS	false
13.226.184.70	unknown	United States	16509	AMAZON-02US	false
104.102.41.70	unknown	United States	16625	AKAMAI-ASUS	false
2.16.164.48	unknown	European Union	20940	AKAMAI-ASN1EU	false
199.232.194.133	unknown	United States	54113	FASTLYUS	false
52.88.235.102	unknown	United States	16509	AMAZON-02US	false
44.206.168.227	unknown	United States	14618	AMAZON-AESUS	false
2.23.65.62	unknown	European Union	16625	AKAMAI-ASUS	false
104.124.11.8	unknown	United States	20940	AKAMAI-ASN1EU	false
18.66.121.153	unknown	United States	3	MIT-GATEWAYSUS	false
13.35.58.90	unknown	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1450567
Start date and time:	2024-06-02 04:41:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wechat-3.9.7-installer_ae-GFz1.exe
Detection:	MAL
Classification:	mal48.rans.troj.spyw.evad.winEXE@78/1890@0/21
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 56% Number of executed functions: 125 Number of non-executed functions: 151
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
Execution Graph export aborted for target component0.exe, PID 7068 because it is empty
Execution Graph export aborted for target installer.exe, PID 3020 because there are no executed function
Execution Graph export aborted for target wechat-3.9.7-installer_ae-GFz1.tmp, PID 6540 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
03:42:45	Task Scheduler	Run new task: EPPHealthCheck path: C:\Program Files\ReasonLabs\EPP\Uninstall.exe s>/auto-repair=RavStub
22:42:14	API Interceptor	8x Sleep call for process: wechat-3.9.7-installer_ae-GFz1.tmp modified
22:42:43	API Interceptor	17845x Sleep call for process: RAVEndPointProtection-installer.exe modified
22:43:00	API Interceptor	2x Sleep call for process: WerFault.exe modified
22:43:24	API Interceptor	11x Sleep call for process: servicehost.exe modified
22:43:25	API Interceptor	1x Sleep call for process: rsWSC.exe modified
22:43:27	API Interceptor	1x Sleep call for process: installer.exe modified
22:44:10	API Interceptor	1x Sleep call for process: component0.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
2.16.164.104	https://www-visacom-sg.wgmspu93576.workers.dev/	Get hash	malicious	Unknown	Browse
	http://iykdkk.pages.dev/	Get hash	malicious	Unknown	Browse
	http://www.imt.niu.edu/ipdb3n4m.azodusexz?ccyWVKqcc00VXcyKGjcccWgctcB5J7kxlrcbbb5m======	Get hash	malicious	Phisher	Browse
13.89.179.12	lgX7lgUL1w.exe	Get hash	malicious	Neoreklami, PureLog Stealer, SmokeLoader	Browse
	WebReport_safe_certified_2024.zip	Get hash	malicious	Unknown	Browse
	cpprest141_2_10.dll	Get hash	malicious	Unknown	Browse
	DbfauspePu.exe	Get hash	malicious	Neoreklami	Browse
	file.exe	Get hash	malicious	Neoreklami	Browse
	mFXWSY6SE8.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc	Browse
	1CMweaqlKp.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	OneLaunch - EarthView3D_3o3f1.exe	Get hash	malicious	Unknown	Browse
	Mp7cjtN6To.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	s8veIRIGWR.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	J5QZtYKm.posh.ps1	Get hash	malicious	Unknown	Browse	52.72.49.79
	https://violation-support-460106ta-01apc3.netlify.app/id.html/	Get hash	malicious	Unknown	Browse	54.163.161.109
	https://cloud-12-2.pages.dev/	Get hash	malicious	Unknown	Browse	18.232.36.154
	https://2ly.link/1yIYR	Get hash	malicious	Unknown	Browse	52.202.28.55
	https://famous66-cascaron-d57a98-vd656.netlify.app/dev.html/	Get hash	malicious	Unknown	Browse	52.55.149.163
	https://8w3wzy4q.pages.dev/	Get hash	malicious	Unknown	Browse	34.238.183.222
	http://support-team-460106ta-04aeo12.netlify.app/form.html	Get hash	malicious	Unknown	Browse	54.163.161.109
	https://aphike-team-12056847-6aq5hd5.netlify.app/review_case_id4964-atfd-48xd.html/	Get hash	malicious	Unknown	Browse	34.238.34.141
	https://capitalist-enterprise-1ad087.netlify.app/id.html/	Get hash	malicious	Unknown	Browse	54.163.161.109
	https://support-team-460106ta-04aeo12.netlify.app/id.html/	Get hash	malicious	Unknown	Browse	52.55.149.163
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://2ly.link/1yIYR	Get hash	malicious	Unknown	Browse	13.107.246.45
	AS-2023-CS.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.67
	t4p0nt07.x86.elf	Get hash	malicious	Mirai	Browse	40.89.20.31
	wQsdlAeKOF.elf	Get hash	malicious	Mirai	Browse	20.124.38.232
	xVZShu82Pj.elf	Get hash	malicious	Mirai	Browse	104.147.78.151
	C7QZHqCV7n.elf	Get hash	malicious	Unknown	Browse	20.64.77.238
	91x5iCFuf7.elf	Get hash	malicious	Mirai	Browse	104.214.224.255
	ACKpfvO313.elf	Get hash	malicious	Mirai	Browse	40.82.61.188
	vh9HOxBJJN.elf	Get hash	malicious	Mirai	Browse	40.71.92.212
	3Lf408k9mg.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	40.85.218.2
AMAZON-02US	https://mysteryminte18.vercel.app/	Get hash	malicious	Unknown	Browse	3.71.155.187
	https://mystery-mintr29.vercel.app/	Get hash	malicious	Unknown	Browse	18.194.32.216
	https://mysteryopen31.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.22
	https://violation-support-460106ta-01apc3.netlify.app/id.html/	Get hash	malicious	Unknown	Browse	18.239.69.105
	https://cloud-12-2.pages.dev/	Get hash	malicious	Unknown	Browse	3.161.118.108
	https://dana-id-co.wwbnits.com/claiim.dana.kagett/	Get hash	malicious	Unknown	Browse	108.138.199.86
	https://mysterynftes6.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.98
	https://2ly.link/1yIYR	Get hash	malicious	Unknown	Browse	18.239.94.3
	https://pub-0cc0980a246e413285127dab939f7379.r2.dev/index.html	Get hash	malicious	Unknown	Browse	18.192.94.96
	https://pub-ddd7a9690be64fcc90b63dcf4c9f234a.r2.dev/index.html	Get hash	malicious	Unknown	Browse	3.70.101.28
AKAMAI-ASN1EU	Quarantined Messages.zip	Get hash	malicious	HTMLPhisher	Browse	172.233.128.220
	http://1009.liqing-71.workers.dev/	Get hash	malicious	Unknown	Browse	2.19.96.161
	http://tora.jzturn.workers.dev/	Get hash	malicious	Unknown	Browse	2.19.96.186
	http://cless.kichan.eu.org/	Get hash	malicious	Unknown	Browse	2.19.96.218
	http://usai.bawoowang.workers.dev/	Get hash	malicious	Unknown	Browse	2.19.96.201
	http://pi.eleonore-huyue.workers.dev/	Get hash	malicious	Unknown	Browse	2.19.96.240
	http://worker-silent-bird.wrytd.workers.dev/	Get hash	malicious	Unknown	Browse	23.213.161.196
	http://worker-shy-dew.wrytd.workers.dev/	Get hash	malicious	Unknown	Browse	23.213.161.208
	http://ink-01.72xod8ipxg.eu.org/	Get hash	malicious	Unknown	Browse	2.19.96.240
	http://tmagic.powerinside.win/	Get hash	malicious	Unknown	Browse	2.19.96.186
MIT-GATEWAYSUS	https://famous66-cascaron-d57a98-vd656.netlify.app/dev.html/	Get hash	malicious	Unknown	Browse	18.66.27.49
	https://auth-ttrezor-startt.webflow.io/	Get hash	malicious	Unknown	Browse	18.164.52.41
	https://capitalist-enterprise-1ad087.netlify.app/id.html/	Get hash	malicious	Unknown	Browse	18.66.27.49
	https://support-team-460106ta-04aeo12.netlify.app/id.html/	Get hash	malicious	Unknown	Browse	18.165.183.100
	https://capitalist-enterprise-1ad087.netlify.app/form.html	Get hash	malicious	Unknown	Browse	18.66.27.49
	t4p0nt07.arm.elf	Get hash	malicious	Unknown	Browse	19.130.43.219
	t9lNEiD3ui.elf	Get hash	malicious	Mirai	Browse	19.162.241.239
	G7b98y6IWj.elf	Get hash	malicious	Mirai	Browse	19.143.140.126
	https://download2.easeus.com/installer_rss_new.php	Get hash	malicious	Unknown	Browse	18.172.112.4
	https://track.cornzself.com/bad38662-656e-4aa6-ae91-6bf2d0472a97?%7Bvar1%7D=txt1&%7Bvar2%7D=mz&%7Bvar3%7D=19189907751	Get hash	malicious	Unknown	Browse	18.172.112.25

Process:	C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe
File Type:	Microsoft Cabinet archive data, many, 1819745 bytes, 2 files, at 0x44 +A "\analyticsmanager.dll" +A "\analyticsmanager.manifest", flags 0x4, number 1, extra bytes 20 in head, 165 datablocks, 0x1503 compression
Category:	dropped
Size (bytes):	1841185
Entropy (8bit):	7.999662053959488
Encrypted:	true
SSDEEP:	24576:FOsg7Dhv2QFuRRPqdHuBwjBmqc80nm+1b1wMSDl6DGk62Gi1dYlJetT0lIwg6jwx:16hvi3+TCUdkZ1dYOtT0lIwf59SX
MD5:	DC4E5A62F9C5B04C8D3D20DB961371F5
SHA1:	12FB6AC6D3722A8BCE60F77CA808E5959DE95E02
SHA-256:	F43F800D8D85D7C5AF3BBFA5B2EA13D183BE8E8AD57F7A7FA4475BF603A693E9
SHA-512:	C684D5C877045855DF3CEFFA525DFFBC53D55B3559D1DCA19E10C586F2DB7085CB395A6F933ECCF8F2248E6338DCBAD294B54014F1BEFB6B2534879413AA3531
Malicious:	true
Reputation:	unknown
Preview:	MSCF....a.......D...........................a....S....................R........X\t .\analyticsmanager.dll.......R....Xnt .\analyticsmanager.manifest....Q.+..[...0 H....@d.5.....Vo..zc...T..b.....X.Q.g..i.3 m..L...kw7.n}.i..n.....v......Zi.3....+.83+.>.....7..g.._.g.f....@,,..y...@P.dx.Y...m/u.28...3..6.z..mKE..\..#....Z,.i.-$8.i....&.e.A..@....:!.A........N......A..).(."0............r...g]b$....8.Z..C........rC.h.<Y.......^.>..z...../...d.R......~.....}...o>..... .zw.q.k...u.........j.ucu.....^U.-...n..+..1sou..&.U.&9R...&...x.N...?ul..$....P.R....P..I...'..^.I_.?...T.b...b.QO...wo.S.]...S,..L[pY=.7.eK....{.S.3.o..v.........'...6P.nE..K_..$..{o.....,..$d_.X=..X......?..\|..u...%...BHs..?..q.4.&{5v^E.;.....%..W...d+.m^.P.....\|...*._....}.j.-.......v.tlg..D......N....x..C.l!...n\|.........\|:.,.i.[.[.~......g.6}l...6l......w.....#...............>[4;.c.d.k.................>.b....PN...Z.....i{MNS.'....{O.v.z...../...7...gk.k4].3....9.....e6..[._..

Process:	C:\Program Files\McAfee\WebAdvisor\servicehost.exe
File Type:	ASCII text, with very long lines (1458), with CRLF line terminators
Category:	dropped
Size (bytes):	1665
Entropy (8bit):	5.299957524025923
Encrypted:	false
SSDEEP:	48:HL4WKW98d7lvOKi18GDAxJxFyWLcLBoHC85QsZKg:pKxd71OKincxJxMW08D
MD5:	1325BBAD2BB01570B527769E0AD7AFCF
SHA1:	7FE83FC3C9152EB433176481F1B09C6D77654F8B
SHA-256:	3D653E48C4CAC8C85C3D686EEEA27BA230D10BD49B44E72C69C0AAEBF279DF10
SHA-512:	199D8BF69E56D7CFC3AEFD6991AE0C8CDA0F2A632FCED126C51A7238EF62D7B6E70B47004AAF78BD5A6E28537D99650599266F410A7F3C9AC12C850C4FDBD58E
Malicious:	false
Reputation:	unknown
Preview:	/! $FileVersion=1.2.181 / var aviary_client_fileVersion = "1.2.181"; ..function CreateAviaryClientHelper(){try{var a={Get:function(d){try{if(this._aviaryPlugin){return this._aviaryPlugin.Get(d)}}catch(c){this._logError("Get exception: "+c.message)}return null},Set:function(c,d){if(this._aviaryPlugin){this._aviaryPlugin.Set(c,d)}},ToJsonString:function(){try{if(this._aviaryPlugin){return this._aviaryPlugin.ToJsonString()}}catch(c){this._logError("ToJsonString exception: "+c.message)}return null},GetDirtyFlag:function(d){try{if(this._aviaryPlugin){return this._aviaryPlugin.GetDirtyFlag(d)}}catch(c){this._logError("GetDirtyFlag exception: "+c.message)}return true},Setup:function(){try{if(this._aviaryPlugin){return}var f=JSONManager.getSingleton("dictionary");var c=f.data;var d=c.product_settings;this._aviaryPlugin=getPluginFactory().Create("ContextItemAviaryStore");this._aviaryPlugin.Initialize(JSON.stringify(d));getScriptVariableStore().Set("ContextItemAviaryStore",this._aviaryPlugin)}

Process:	C:\Program Files\McAfee\WebAdvisor\uihost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	560
Entropy (8bit):	5.209364827816918
Encrypted:	false
SSDEEP:	12:ZRVA2yRbbs8J1VxJRVAfGRbbs8J1V3JRVA5W7Rbbs8J1VxJRVAIyRbbs8J1V33:C2yRoY1VYfGRoY1Vi5yRoY1VYIyRoY1F
MD5:	44914D8D64EF2F18D4ABFC8371B7C38B
SHA1:	0DAC01D92DFF57E1072092F2F38335ECDB3105A8
SHA-256:	86F8CAACD869E752ABC7E6D7DE6BE8CA090291C055B03071DA8FEBA867BB6FF5
SHA-512:	A6E3E8B5D9CCB4FD979FAF94856C98CE8B6B556A20FCAC8CB97224B59063CE755F1166084532BC275156D1E73AFCFEC3B754EE3B464F9024B24108BEFE344BD2
Malicious:	false
Reputation:	unknown
Preview:	[ERR][20240602 00:21:20.244][wps_utils_scriptable.cpp@58]: Failed to get value of WPS setting CloudSDK.cache: GET /subscription/v3/details..[ERR][20240602 00:21:20.463][wps_utils_scriptable.cpp@58]: Failed to get value of WPS setting CloudSDK.cache: GET /subscription/v1/details..[ERR][20240602 00:21:20.713][wps_utils_scriptable.cpp@58]: Failed to get value of WPS setting CloudSDK.cache: GET /subscription/v3/details..[ERR][20240602 00:21:20.932][wps_utils_scriptable.cpp@58]: Failed to get value of WPS setting CloudSDK.cache: GET /subscription/v1/details..

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3899496444384478
Encrypted:	false
SSDEEP:	192:uth26evX0s7Rjj0/O3TfR95iXzuiFqZ24IO8s:wh26evks7RjjHfRrszuiFqY4IO8s
MD5:	A29BA7E34DC5555567578AD8D49FCED3
SHA1:	D633CEE975B9C41D582E04E5F80B672B6B3C3151
SHA-256:	C1E0D8F8F6062794CF8D4311ACBAF95CC0C11530FC8F8BC722E8CCCF83DC427C
SHA-512:	FBB9BB8E776F9487C7F2B29EAD9DAD8082288A99E87D90136BC34E7C70B89818120A77D8DCA876E790CD1F763D3573D3024607D0F83D0EA3E4FC8CCDED6F9200
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.7.6.9.7.8.1.3.7.1.0.8.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.7.6.9.7.8.2.0.5.8.5.8.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.2.2.7.0.8.3.-.5.e.4.f.-.4.7.2.8.-.b.b.c.7.-.3.7.4.b.1.7.d.d.b.1.e.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.3.d.f.0.6.0.-.3.d.6.3.-.4.4.8.f.-.8.d.8.e.-.3.2.c.5.5.6.8.1.9.3.7.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.w.e.c.h.a.t.-.3...9...7.-.i.n.s.t.a.l.l.e.r._.a.e.-.G.F.z.1...t.m.p.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.c.-.0.0.0.1.-.0.0.1.4.-.4.2.8.7.-.5.6.7.6.9.6.b.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.2.7.e.7.1.1.c.2.5.c.1.d.b.3.5.4.7.c.4.a.0.

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	81662
Entropy (8bit):	3.1028510284881223
Encrypted:	false
SSDEEP:	1536:yX5A9ZErV8hbOQm0fidyyOAELy5999vTNIg+CotR1PZcaPKxnH/uPuvEH+/PfvNB:yX5A9ZErV8hbOQm0fidyNAELy5999vTV
MD5:	0281303CA435DB4216C99F8D58F34287
SHA1:	B4B4BBC100ACD7CB154141A87AE779160C9FBC9B
SHA-256:	EE9BC172A34B50FB3DDBB91F01FBBBA2D68847310860B8956CEAAAFC2CC85C30
SHA-512:	EE592743B4205CF3B31F6A2CC27E85EE07DDEC690C7744E10ACE8F451F67BCBE8640DFD050701F4CE7F2345D0874ACED136ABFFCBA5D5417892B6AEBC0BA2877
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

Process:	C:\Windows\System32\runonce.exe
File Type:	data
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	2.083360363049019
Encrypted:	false
SSDEEP:	384:YUpOHOh0hTNVqvHimUYJU7i0TiXyZ2QL0cMsb2pipI1CaYGNOzF9caAeGS+y1650:Ah
MD5:	36C93C2667008C461F27730F9546002D
SHA1:	A21000747F25CC2626FDDC853D314E55912B91D2
SHA-256:	5F5DF4D5A3D5EC5BF42062BE3597DEE59C7B1595A1D17F4C2CAEEB692F31651F
SHA-512:	E6D14595DEDB83B63E255915205F391CDA2DBA4735AA21232F0AD7DCB33C5A22778BFCAEDB4EB65BBF5D1AE8B8A75D538D35C002BE565085DB65341AA7B76E6C
Malicious:	false
Reputation:	unknown
Preview:	. ......................................................................................K..8............. ......eJ......&#(.....Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................N9..............s..............E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.E.x.p.l.o.r.e.r.\.E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...e.t.l...........P.P.........N..8............................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3209792
Entropy (8bit):	6.332772710233832
Encrypted:	false
SSDEEP:	49152:SWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TYS:etLutqgwh4NYxtJpkxhGj333TB
MD5:	053B158842578C53DB20AD6835B8658B
SHA1:	4B3E035E7D86ACB1F2EEAB850E940E70FC63AC20
SHA-256:	FBB3B174E158168DB58855286AA1CF9537DE8084070EE5751DD3B252E9B7DACA
SHA-512:	CF96CEBFDF18C6C0069D8436A2147246F36B5DC808A6CA84104A47B20F9C8832BB72CEDD8530CE7E21C1E1C90306868854AA3A3DC59077EF5C32A8848EA68D81
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1.....$.1...@......@....................-.......-..9....................0.@(...........................................................-.......-......................text.... ,......",................. ..`.itext...(...@,.....&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

Process:	C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	58209
Entropy (8bit):	7.972991367414719
Encrypted:	false
SSDEEP:	1536:6OUhw1+qeEfOq4pFzFAKrm9OHUuYNNoqcYpt8VCY7zlO:V7eEfM1B0uUtyCu0
MD5:	4167C79312B27C8002CBEEA023FE8CB5
SHA1:	FDA8A34C9EBA906993A336D01557801A68AC6681
SHA-256:	C3BF350627B842BED55E6A72AB53DA15719B4F33C267A6A132CB99FF6AFE3CD8
SHA-512:	4815746E5E30CBEF626228601F957D993752A3D45130FEEDA335690B7D21ED3D6D6A6DC0AD68A1D5BA584B05791053A4FC7E9AC7B64ABD47FEAA8D3B919353BB
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a.....IDATx......U....g....,`F@RY..j0.........t..U.....u..z3Q\u.....>...]..zwzd...`&"..{..t....<$.l<N.L..L.f.W...9u...z..g2s.Wuu...9.[.N......`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0.....`0...iK....`0..3.%K..T.#.N...-....(J...l>z.ha.]EL.F.5.....0#..].....Sv.....p.....%..B6..x.n.\.S....EO.].c......`0.....7...;.xG7.S......T/.0.....`0..Vv..E..).......k.4.....`.1.e...f.j+....S.Rz..><022.V...i.....`0.....z..(.S...T...X....^..`0..3....YO....c.-Dm...8;....CI...j..?+..`,.:..7..0..I.+.$..q.]>.y....xx.o...8h..`0..... .=".P..ZG...M.7.!....>..;V{.v.J...(xG..C....v....~h....S.Y'..x.U../.P\|+E.P...a..a.H..."...]oV.S.%.V....fN.^...oW.[..6$.fy.Y....r..`0...C..l.6.s../.wlCp....(. .[...Z..v.W...+..<.J<{ gIs.N5.n.!......'.'..Q-\.....,....H..Km.7.....`0....L.jii.......{W1s.Y.......ni..G3..a..fUiF:j.+..._..

Process:	C:\Users\user\AppData\Local\Temp\cldwur4x.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.804946284177748
Encrypted:	false
SSDEEP:	192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
MD5:	192639861E3DC2DC5C08BB8F8C7260D5
SHA1:	58D30E460609E22FA0098BC27D928B689EF9AF78
SHA-256:	23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
SHA-512:	6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.804946284177748
Encrypted:	false
SSDEEP:	192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
MD5:	192639861E3DC2DC5C08BB8F8C7260D5
SHA1:	58D30E460609E22FA0098BC27D928B689EF9AF78
SHA-256:	23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
SHA-512:	6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\ReasonLabs\EPP\Uninstall.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1952048
Entropy (8bit):	7.807173257576082
Encrypted:	false
SSDEEP:	49152:oTl+Ffl0KCV8rEKbhHJikCz/NqoNcugBhnem0XA:oTl+xLRHAVLVNcpipQ
MD5:	6C0F8BF824E17C2F0DDFF150D8DC7488
SHA1:	BA9C27DA2BABACD1B9EC63F3C27EFAB3DDD1673E
SHA-256:	7A3BB8C2326FF535C6582FA627AA384B0D1E89DA1D7722B4230BE7080126E04E
SHA-512:	B3B593F34E2FD43DEA8C587AFD3D527E21011BB02DBD085908CDB92C1A134E26A16FADBE8B25DE498AEAFCFF894322F9C90EB729CA6E3D5AD8CD793631B86BF7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@.................................>.....@.............................................(............i..x_...........................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...p...............................rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................................................

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	e569e6f445d32ba23766ad67d1e3787f

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	05/12/2023 00:00:00 04/12/2024 23:59:59
Subject Chain	CN=Softonic International SA, O=Softonic International SA, L=Barcelona, S=Barcelona, C=ES
Version:	3
Thumbprint MD5:	645062A19EBA838A05F35F9E658A2634
Thumbprint SHA-1:	0826DC0AF20D41B35F929BFD15B8628FFC67BA53
Thumbprint SHA-256:	F01B15B21A7C4E3443E961A9743A2400F6F3BA2374040FA2C968A1382B820378
Serial:	0FB1B101957A7B7B6042138BD4CCF2A3

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xfdc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1adeb8	0x2840
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22f4	0x254	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb39e4	0xb3a00	43af0a9476ca224d8e8461f1e22c94da	False	0.34525867693110646	data	6.357635049994181	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	185e04b9a1f554e31f7f848515dc890c	False	0.54443359375	data	5.971425428435973	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	cab2107c933b696aa5cf0cc6c3fd3980	False	0.36097935267857145	data	5.048648594372454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xfdc	0x1000	e7d1635e2624b124cfdce6c360ac21cd	False	0.3798828125	data	5.029087481102678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	8ced971d8a7705c98b173e255d8c9aa7	False	0.345703125	data	2.7509822285969876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	8d4e1e508031afe235bf121c80fd7d5f	False	0.2578125	data	1.877162954504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	8f2f090acd9622c88a6a852e72f94e96	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x11000	0x11000	366d8de3ab89ffba40b5dbfe3b31d799	False	0.18636546415441177	data	3.698855471720625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xc80e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xc8748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xc8a30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xc8b58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xca180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcb028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcb8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcbe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xcd120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd1348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd38f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd4998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd4e00	0x360	data			0.34375
RT_STRING	0xd5160	0x260	data			0.3256578947368421
RT_STRING	0xd53c0	0x45c	data			0.4068100358422939
RT_STRING	0xd581c	0x40c	data			0.3754826254826255
RT_STRING	0xd5c28	0x2d4	data			0.39226519337016574
RT_STRING	0xd5efc	0xb8	data			0.6467391304347826
RT_STRING	0xd5fb4	0x9c	data			0.6410256410256411
RT_STRING	0xd6050	0x374	data			0.4230769230769231
RT_STRING	0xd63c4	0x398	data			0.3358695652173913
RT_STRING	0xd675c	0x368	data			0.3795871559633027
RT_STRING	0xd6ac4	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd6d68	0x10	data			1.5
RT_RCDATA	0xd6d78	0x2c4	data			0.6384180790960452
RT_RCDATA	0xd703c	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xd7068	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xd7124	0x584	data	English	United States	0.2776203966005666
RT_MANIFEST	0xd76a8	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4541a8
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Target ID:	0
Start time:	22:42:07
Start date:	01/06/2024
Path:	C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe"
Imagebase:	0x400000
File size:	1'771'256 bytes
MD5 hash:	C9DB32520878A90F367B284F5F765AB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	22:42:08
Start date:	01/06/2024
Path:	C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-BFDMQ.tmp\wechat-3.9.7-installer_ae-GFz1.tmp" /SL5="$1040C,837551,832512,C:\Users\user\Desktop\wechat-3.9.7-installer_ae-GFz1.exe"
Imagebase:	0x400000
File size:	3'209'792 bytes
MD5 hash:	053B158842578C53DB20AD6835B8658B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	22:42:34
Start date:	01/06/2024
Path:	C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240601224314&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i
Imagebase:	0x22cf9880000
File size:	45'608 bytes
MD5 hash:	DDFFAA966C03DC4BEF4DCB947DCC474B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wechat-3.9.7-installer_ae-GFz1.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\McAfee\Temp3475153614\analyticsmanager.cab

C:\Program Files\McAfee\Temp3475153614\analyticstelemetry.cab

C:\Program Files\McAfee\Temp3475153614\balloon_safe_annotation.png

C:\Program Files\McAfee\Temp3475153614\browserhost.cab

C:\Program Files\McAfee\Temp3475153614\browserplugin.cab

C:\Program Files\McAfee\Temp3475153614\downloadscan.cab

C:\Program Files\McAfee\Temp3475153614\eventmanager.cab

C:\Program Files\McAfee\Temp3475153614\icon_complete.png

C:\Program Files\McAfee\Temp3475153614\icon_failed.png

C:\Program Files\McAfee\Temp3475153614\icon_laptop.png

Windows Analysis Report
wechat-3.9.7-installer_ae-GFz1.exe

Target ID:	6
Start time:	22:42:37
Start date:	01/06/2024
Path:	C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
Imagebase:	0x7b0000
File size:	1'184'128 bytes
MD5 hash:	143255618462A577DE27286A272584E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	22:42:38
Start date:	01/06/2024
Path:	C:\Users\user\AppData\Local\Temp\cldwur4x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent
Imagebase:	0x400000
File size:	1'952'048 bytes
MD5 hash:	6C0F8BF824E17C2F0DDFF150D8DC7488
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1946551631.0000000002756000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1945288399.000000000275F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1944662901.0000000002754000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1945929444.0000000002759000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1947943093.000000000275C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	22:42:42
Start date:	01/06/2024
Path:	C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\nsg8D3E.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\cldwur4x.exe" /silent
Imagebase:	0x220fc4d0000
File size:	550'984 bytes
MD5 hash:	31CB221ABD09084BF10C8D6ACF976A21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2807618602.00000220FE912000.00000002.00000001.01000000.00000038.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2541457093.00000220952CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2813307929.00000220FEB02000.00000002.00000001.01000000.00000039.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2506176810.000002208072E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2506176810.000002208040B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2814717721.00000220FEB42000.00000002.00000001.01000000.0000003A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	22:42:45
Start date:	01/06/2024
Path:	C:\Program Files\ReasonLabs\EPP\Uninstall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=RavStub
Imagebase:	0x400000
File size:	1'952'048 bytes
MD5 hash:	6C0F8BF824E17C2F0DDFF150D8DC7488
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	22:42:46
Start date:	01/06/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	17
Start time:	22:42:52
Start date:	01/06/2024
Path:	C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\nsxAA0D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\nsmA848.tmp\Uninstall.exe" /auto-repair=RavStub
Imagebase:	0x1dca9e90000
File size:	550'984 bytes
MD5 hash:	31CB221ABD09084BF10C8D6ACF976A21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	18
Start time:	22:42:58
Start date:	01/06/2024
Path:	C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\is-BGV4J.tmp\component1_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Imagebase:	0x7ff72bec0000
File size:	29'321'856 bytes
MD5 hash:	58B8915D4281DB10762AF30EAF315C9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	20
Start time:	22:43:01
Start date:	01/06/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 1064
Imagebase:	0xb90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	21
Start time:	22:43:03
Start date:	01/06/2024
Path:	C:\Program Files\McAfee\Temp3475153614\installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\McAfee\Temp3475153614\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Imagebase:	0x7ff7f5990000
File size:	2'990'000 bytes
MD5 hash:	B2B02A72E98408C9E0EBD5036BD7A092
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	22
Start time:	22:43:15
Start date:	01/06/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Imagebase:	0x7ff63ffb0000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true