Windows Analysis Report
faststone-capture_voLss-1.exe

Overview

General Information

Sample name:	faststone-capture_voLss-1.exe
Analysis ID:	1525397
MD5:	d8ad93ef2790aa264ab569f5ba8a67cb
SHA1:	67b01f6a855b6c5def8863b0d2ef157a44762a28
SHA256:	94375dbac8e6dfd152a3c3b9e33d1c6fc18d5f86e2b486124cc4f67dbef68ce6
Infos:

Detection

PureLog Stealer

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	37
Range:	0 - 100

Signatures

AI detected phishing page

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Allocates memory in foreign processes

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Creates an autostart registry key pointing to binary in C:\Windows

Drops large PE files

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs Task Scheduler Managed Wrapper

Tries to harvest and steal browser information (history, passwords, etc)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTML page contains hidden javascript code

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches the installation path of Mozilla Firefox

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potentially Suspicious Rundll32 Activity

Sigma detected: Suspicious Rundll32 Setupapi.dll Activity

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

query blbeacon for getting browser version

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: faststone-capture_voLss-1.exe	ReversingLabs: Detection: 45%
Source: faststone-capture_voLss-1.exe	Virustotal: Detection: 36%			Perma Link

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BB14F0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CryptMsgGetParam,CertFreeCRLContext,CertFreeCRLContext,	6_2_00BB14F0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BB17A0 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptQueryObject,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,	6_2_00BB17A0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B65870 GetCurrentProcessId,GetCurrentThreadId,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,UuidCreate,UuidCreate,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	6_2_00B65870
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B66220 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,	6_2_00B66220
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9E610 CryptMsgClose,	6_2_00B9E610
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B667B0 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,	6_2_00B667B0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9EB60 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptQueryObject,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,	6_2_00B9EB60
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9F150 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertFreeCRLContext,	6_2_00B9F150
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9F3C0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertGetNameStringW,CertGetNameStringW,CertGetCertificateChain,CertFreeCertificateChain,CertFreeCertificateChain,CertVerifyCertificateChainPolicy,CertFreeCertificateChain,CertFreeCRLContext,CertFreeCRLContext,	6_2_00B9F3C0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47C14A0 CryptQueryObject,GetLastError,CryptMsgGetParam,GetLastError,LocalAlloc,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,CertGetNameStringW,CertGetNameStringW,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	10_2_00007FF6B47C14A0

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

EXE: C:\Users\user\Downloads\faststone-capture.exe

Jump to behavior

Phishing

AI detected phishing page

Source: https://en.download.it/?typ=1	LLM: Score: 9 Reasons: The brand 'CLOUDFLARE' is well-known and typically associated with the domain 'cloudflare.com'., The URL 'en.download.it' does not match the legitimate domain name for Cloudflare., The domain 'download.it' is unrelated to Cloudflare and could be used to mislead users., The use of a generic domain like '.it' and the presence of 'download' in the URL are suspicious and not typical for Cloudflare's services., There is no clear association between the brand 'CLOUDFLARE' and the provided URL. DOM: 0.2.pages.csv
Source: https://en.download.it/?typ=1	LLM: Score: 8 Reasons: The brand 'CLOUDFLARE' is well-known and typically associated with the domain 'cloudflare.com'., The URL 'en.download.it' does not match the legitimate domain name for Cloudflare., The domain 'download.it' is unrelated to Cloudflare and could be used to mislead users., The use of a generic domain like 'download.it' is suspicious and not typically associated with Cloudflare's services., There is no clear indication that Cloudflare would use a domain like 'download.it' for any of its services. DOM: 0.17.pages.csv

HTML page contains hidden javascript code

Source: https://en.download.it/?typ=1

HTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="none"><path fill="#B20F03" d="M16 3a13 13 0 1 0 13 13A13.015 13.015 0 0 0 16 3m0 24a11 11 0 1 1 11-11 11.01 11.01 0 0 1-11 11"/><path fill="#B20F03" d="M17.038 18.615H14.87L14.563 9.5h2....

Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

EXE: C:\Users\user\Downloads\faststone-capture.exe

Jump to behavior

Uses 32bit PE files

Source: faststone-capture_voLss-1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Window detected: HYPERLINK "https://cassinilabs.com/privacy-policy/" End User License AgreementHYPERLINK "https://cassinilabs.com/privacy-policy/" Privacy PolicyThis will download FastStone Capture to your computer click "Next" to continue.A versatile tool for capturing and editing screenshots...Welcome to FastStone Capture Download Manager&NextCancel
Source: C:\Users\user\Downloads\faststone-capture.exe	Window detected: < &BackI &AgreeCancelwww.FastStone.org www.FastStone.orgLicense AgreementPlease review the license terms before installing FastStone Capture 9.7.Press Page Down to see the rest of the agreement.Please read the following terms and conditions carefully before using FastStone Capture. Use of FastStone Capture indicates you accept the terms of this license agreement and warranty.1. Disclaimer of WarrantyFastStone Capture (this software) is provided "as-is" and without warranty of any kind express implied or otherwise including without limitation any warranty of merchantability or fitness for a particular purpose. In no event shall the author of this software be held liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.2. LicenseFastStone Capture is shareware. You may try it free for 30 days. Once this 30-day period has expired you must either purchase a license to use this software or uninstall it from your computer promptly.3. Restrictions on Use FastStone Capture must not be decompiled disassembled reverse engineered or otherwise modified. Copyright (C) 2021 FastStone Corporation. All rights reserved.If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install FastStone Capture 9.7.

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_100_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_200_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\icudtl.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\LICENSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\LICENSES.chromium.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\af.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\am.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ar.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\bg.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\bn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ca.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\cs.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\da.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\de.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\el.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\en-GB.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\en-US.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es-419.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\et.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fa.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fil.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\gu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\he.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\id.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\it.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ja.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\kn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ko.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lt.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ml.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\mr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ms.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nb.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pt-BR.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pt-PT.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ro.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ru.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sw.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ta.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\te.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\th.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\tr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\uk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ur.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\vi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-CN.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-TW.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\snapshot_blob.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\v8_context_snapshot.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\version	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader_icd.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libEGL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libGLESv2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Signatures.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\WhiteList.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\7zarm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\ext_arm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\lz4_arm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsYara-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\VPN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\VPN\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\manifest.json
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsExtensionHost.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\SecurityProductInformation.ini
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Signatures.dat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.sig
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\manifest.json
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\WhiteList.dat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\7zarm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\ext_arm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\lz4_arm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsCamFilter020502.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsJournal-ARM64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsYara-ARM64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\SQLite.Interop.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\BouncyCastle.Crypto.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Dia2Lib.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msvcp140.dll

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnifiedStub-installer.exe.log

Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-cs-CZ.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-da-DK.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-de-DE.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-el-GR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-en-US.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-es-ES.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-es-MX.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fi-FI.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fr-CA.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fr-FR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-hr-HR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-hu-HU.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-it-IT.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ja-JP.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ko-KR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-nb-NO.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-nl-NL.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pl-PL.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pt-BR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pt-PT.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ru-RU.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sk-SK.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sr-Latn-CS.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sv-SE.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-tr-TR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-zh-CN.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-zh-TW.txt

Source: faststone-capture_voLss-1.exe

Static PE information: certificate valid

Source: faststone-capture_voLss-1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: rsAtom.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\linoy\Documents\GitHub\zbShield-Utils-CPP\zbShieldUtils\bin\Release\Helper.pdb source: faststone-capture_voLss-1.tmp, 00000001.00000003.2197108227.0000000007670000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\System.Data.SQLite\System.Data.SQLite\obj\2022\System.Data.SQLite\Release\System.Data.SQLite.pdb\ source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsTime\rsTime\rsTime\obj\Release\net462\rsTime.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 0000000A.00000000.2180936055.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000A.00000002.2182546062.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000C.00000000.2181750319.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\ArchiveUtility\ArchiveUtility\Reason.ArchiveUtility\bin\ARM64\Release\Reason.ArchiveUtility-ARM64.pdb source: gngnwua3.exe, 00000007.00000003.2156690263.0000000002360000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2156743744.0000000000640000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsTime\rsTime\rsTime\obj\Release\net462\rsTime.pdbT,n, `,_CorDllMainmscoree.dll source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsDatabase.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\ArchiveUtility\ArchiveUtility\Reason.ArchiveUtility\bin\x64\Release\Reason.ArchiveUtility-x64.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb$1>1 01_CorExeMainmscoree.dll source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\UnifiedStub\obj\Release\UnifiedStub.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: rsLogger.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubRunner\rsStubRunner\bin\Release\x64\rsStubRunner.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000000.2189538132.00007FF7F9EF5000.00000002.00000001.01000000.00000013.sdmp, Uninstall.exe, 0000000D.00000002.2211732158.00007FF7F9EF5000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 0000000A.00000000.2180936055.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000A.00000002.2182546062.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000C.00000000.2181750319.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: rsLogger.pdbx source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\System.Data.SQLite\System.Data.SQLite\obj\2022\System.Data.SQLite\Release\System.Data.SQLite.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp

Spreading

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EEBB3C FindFirstFileExW,	13_2_00007FF7F9EEBB3C
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	14_2_00405C4E
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_0040689A FindFirstFileW,FindClose,	14_2_0040689A
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00402902 FindFirstFileW,	14_2_00402902
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00404EC1 FindFirstFileW,	16_2_00404EC1

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 16.3.Stub.exe.2e05c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e48200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e25c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e22e00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e28200.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e42e00.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e45c00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e02e00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e20000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e08200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000003.2309181808.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2278728649.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll, type: DROPPED

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 10_2_00007FF6B47CF8E0 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,URLDownloadToFileA,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

10_2_00007FF6B47CF8E0

Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501322226.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003200000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2811242387.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxH
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B94000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501412990.0000000005B8A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810945355.0000000005B86000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501322226.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003200000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2811242387.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5dP
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5dQ
Source: saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabIeP
Source: saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabgeP
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000882000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dl.jalecdn.com/US/faststone-capture.exe
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dl.jalecdn.com/US/faststone-capture.exe2
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dl.jalecdn.com/US/faststone-capture.exee&oc=
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: faststone-capture.exe, 0000000E.00000000.2193307650.000000000040A000.00000008.00000001.01000000.00000014.sdmp, faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, faststone-capture.exe, 0000000E.00000002.2477293815.000000000040A000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2811242387.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501322226.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003200000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B94000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501412990.0000000005B8A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810945355.0000000005B86000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: saBSI.exe, 00000006.00000003.2501412990.0000000005B87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B94000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501412990.0000000005B8A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810945355.0000000005B86000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com:80/cacert/codesigningrootr45.crt
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.00000000022A6000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.00000000075B6000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: faststone-capture.exe, 0000000E.00000002.2478459198.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.faststone.org
Source: saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502854904.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mcafee.com
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2169184053.0000000003247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/
Source: saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/N_
Source: saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/_
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/f_
Source: saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2158917863.0000000003224000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2169184053.0000000003247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record$
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record=
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordR&
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordS.O
Source: saBSI.exe, 00000006.00000003.2296177752.00000000032A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordcom
Source: saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/record
Source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/r
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.comor
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.qa.apis.mcafee.com
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://beta.reasonlabs.com/contact-us?prod=2&utm_source=vpn_uninstall&utm_medium=home_contact_suppo
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://beta.reasonlabs.com/contact-us?prod=3&utm_source=safer_web_uninstall_home&utm_medium=contact
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000882000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cassinilabs.com/privacy-policy/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1813052860.00000000053F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cassinilabs.com/privacy-policy/ent=true&oc=
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cassinilabs.com/privacy-policy/q
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000882000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.download.it/gen/faststone-capture-100x100.png
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.download.it/gen/faststone-capture-100x100.pngGC
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1813052860.00000000053F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.download.it/gen/faststone-capture-100x100.pngee05d667b5107239
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 0000000F.00000003.4086891220.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges-staging.cloudflare.com
Source: chrome.exe, 0000000F.00000003.4086891220.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com
Source: chrome.exe, 0000000F.00000003.4113159505.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/
Source: chrome.exe, 0000000F.00000003.4419609849.000007A8042B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4419491925.000007A804650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4419552616.000007A804CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4418612768.000007A80429C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4399585322.000007A80254C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/299565161:1728015891:-zHfP
Source: chrome.exe, 0000000F.00000003.3883919812.000007A804AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/bcxkx/0
Source: chrome.exe, 0000000F.00000003.3707670073.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/c0zxi/0
Source: chrome.exe, 0000000F.00000003.3838113781.000007A803DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/du5vc/0
Source: chrome.exe, 0000000F.00000003.4113159505.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/j1c1g/0
Source: chrome.exe, 0000000F.00000003.4349826987.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4418612768.000007A80429C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4406741288.000007A80381C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4399585322.000007A80254C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/wngd1/0
Source: chrome.exe, 0000000F.00000003.3563511401.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086731265.000007A803FCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3853173169.000007A803F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086595305.000007A804BD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3853035697.000007A803FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086891220.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/turnstile/v0/g/ec4b873d446c/api.js?onload=Jeuhg1&render=explicit
Source: chrome.exe, 0000000F.00000003.3563851844.000007A803FCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3563511401.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086731265.000007A803FCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3853173169.000007A803F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086595305.000007A804BD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3853035697.000007A803FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086891220.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/turnstile/v0/g/ec4b873d446c/api.js?onload=Jeuhg1&render=explicitaD
Source: chrome.exe, 0000000F.00000003.4280689054.000007A80320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000F.00000003.3577221795.000007A803D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4281587753.000007A8030BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3577285128.000007A8030BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3698808392.000007A803D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4112712276.000007A802538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3698673967.000007A802538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4112935279.000007A8030BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4280689054.000007A80320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000F.00000003.3554303804.000007A804ACC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudflareinsights.com/cdn-cgi/rum
Source: saBSI.exe, 00000006.00000002.2808233151.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282776680.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494624940.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282807159.00000000032A9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.00000000032AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://confluence.int.mcafee.com/pages/viewpage.action?pageId=35264328
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2500152750.000000000360C000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://control.kochava.com/v1/cpi/click?campaign_id=kohotspot-shield-2oo5a3058127822662&network_id=
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cu1pehnswad01.servicebus.windows.net/wadp32h02/messages?timeout=60&api-version=2014-01
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/T
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.0000000007490000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2500152750.00000000035E1000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png4
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1813052860.0000000005408000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png7
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pngD
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.00000000024E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip:
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipr
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000880000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/images/1626/EN.png
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/images/1626/EN.png5
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.00000000074A2000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/o
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2500152750.000000000361C000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/zbd
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net:443/zbd
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://electron-shell.reasonsecurity.com/v
Source: chrome.exe, 0000000F.00000003.4406599576.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4113159505.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it
Source: chrome.exe, 0000000F.00000003.4230156962.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2858653563.000007A8033B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3956100525.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/
Source: chrome.exe, 0000000F.00000003.3956100525.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3680109630.000007A80320C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4406741288.000007A80381C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1
Source: chrome.exe, 0000000F.00000003.4077418260.000007A804AB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3680056783.000007A802540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3845201916.000007A804AB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4313769646.000007A804AB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3680162859.000007A804AB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3554079125.000007A80320C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3845016165.000007A802540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3553951787.000007A802540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3680109630.000007A80320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1(
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=101
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=13
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=19
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1?9kL#
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1J
Source: chrome.exe, 0000000F.00000003.4230156962.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2858653563.000007A8033B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3956100525.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1hd
Source: chrome.exe, 0000000F.00000003.4406599576.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1jb
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504703706.0000000005C61000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2222727504.0000000005C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1n
Source: chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1nl
Source: chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1nl72
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1r
Source: chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/favicon.ico
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.000000000256C000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.0000000000873000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000859000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it?typ=1
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2495420906.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it?typ=1$
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it?typ=1:&
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.000000000256C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it?typ=1TA
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: faststone-capture_voLss-1.exe, 00000000.00000000.1722269206.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity.com
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/?utm_source=safer_web_uninstall_home&utm_medium=website_link&ruserid=
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/contact-us?prod=2&utm_source=vpn_uninstall&utm_medium=home_contact_support&ru
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/contact-us?prod=3&utm_source=safer_web_uninstall_home&utm_medium=contact_supp
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/platform/products/rav/privacy-policy?utm_source=rav_antivirus_installer
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/platform/products/rav/terms?utm_source=rav_antivirus_installer
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2222727504.0000000005C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies.net/f/WebAdvisor/files/1489/saBSI.zipps://ww
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies.net/f/WebAdvisor/images/1626/EN.png5W
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies6801bd62a31414fed2cdf2545aee05d667b5107239X
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesE467B
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesW
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504703706.0000000005C61000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2222727504.0000000005C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesm/rsSt
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com?utm_source=vpn_uninstall&utm_medium=home_website_link&ruserid=
Source: saBSI.exe	String found in binary or memory: https://sadownload.mcafee.com/products/SA/
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml/
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/
Source: saBSI.exe, 00000006.00000003.2192864038.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml
Source: saBSI.exe, 00000006.00000003.2192127377.0000000005934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml/
Source: saBSI.exe, 00000006.00000003.2231209818.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xmlZ_
Source: saBSI.exe, 00000006.00000003.2231209818.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml_
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml/
Source: saBSI.exe, 00000006.00000003.2231209818.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xmlc)
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2255280549.0000000005934000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.0000000005932000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796573372.0000000005937000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231167895.0000000005933000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231116150.000000000593C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2795680740.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2255280549.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.000000000594B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml/
Source: saBSI.exe, saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2811159110.0000000005BDF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2169184053.0000000003247000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_main.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml/
Source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/UPDATER_VERSIONaffidosplatSELF_UPDATE_ALLOWEDMAIN_XMLSTORE
Source: saBSI.exe, saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.json
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonPROCESSX
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonRS=2On
Source: saBSI.exe, 00000006.00000003.2255280549.0000000005934000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.0000000005932000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796573372.0000000005937000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231167895.0000000005933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi
Source: saBSI.exe, 00000006.00000003.2795680740.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2255280549.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.000000000594B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml/
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xmlnload.mcafee.com
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/binaryR
Source: saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/965/
Source: saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/965/64/installer.exeexe
Source: saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xml
Source: saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xmlI)
Source: saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xmlR&
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml3&
Source: saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml~)
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa$
Source: saBSI.exe, 00000006.00000003.2255280549.0000000005934000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.0000000005932000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231167895.0000000005933000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810393352.0000000005930000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797148356.0000000005930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary
Source: saBSI.exe, 00000006.00000003.2795680740.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2255280549.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.000000000594B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary/
Source: saBSI.exe, 00000006.00000002.2810546434.000000000597B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282907807.0000000005967000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282907807.000000000597B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2295089706.000000000597B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296427734.0000000005968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/pc/partner_custom_vars.xml
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saLOCALA
Source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saUPDATER_URLupdater.exeWebAdvisor_Updaterheron_hostthreat.ap
Source: saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com:443/products/SA/v1/update/post_install.xml
Source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/7ReasonLabs-Setup-Wizard.exe
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.0000000000873000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.0000000007598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeA
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeK
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeZ
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exes/1489/saBSI.zipu
Source: chrome.exe, 0000000F.00000003.3554303804.000007A804ACC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015
Source: chrome.exe, 0000000F.00000003.3554303804.000007A804ACC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015aD
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://track.analytics-data.io
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/live
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/update
Source: chrome.exe, 0000000F.00000003.2830617850.000007A802543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.googleapis.com/service/update2/json?cup2key=13:VwnLo86zDIR1DjEkOQ_NGmKytUSjF318ImY__c
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonse.com/vo
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live-dt:10m
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livePCCotO
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livecle
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/liveonProgramF
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livev1.0
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/update
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/0
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/M
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.ck
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.coP
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000088A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.000000000088A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000859000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779315759.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-products
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000088A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.000000000088A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000859000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779315759.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.come
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/eula
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.0000000000873000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacy
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacyM
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.forbes.com/sites/forbestechcouncil/2022/07/13/why-do-hacks-happen-four-ubiquitous-motiva
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501412990.0000000005B8A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B94000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810945355.0000000005B86000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 0000000F.00000003.4280689054.000007A80320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002740000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000000.1728994053.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/e
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.00000000024EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/poli
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.000000000755E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/lega
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.0000000007591000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html$D
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html/1626/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlG8
Source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlq
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1813052860.00000000053F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/privacy/
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computers
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacy
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacy6
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/safer-web/privacy-policy?utm_source=reason_safer_web_installer
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/safer-web/terms?utm_source=reason_safer_web_installer
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/vpn/privacy-policy?utm_source=reason_vpn_installer
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/vpn/terms?utm_source=reason_vpn_installer
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002740000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000000.1728994053.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.00000000035C9000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/eula.html
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/eula.html;
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/privacy.html
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/privacy.htmlk

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Downloads\faststone-capture.exe

Code function: 14_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

14_2_004056E3

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EF7234CDBB1649702229F955C785C39F	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A76F24BEACC5A31C76BB70908923C3E0	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rselam.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\elam\rselam.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rselam.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_94D503D192B52F2BF45A18D0E3D98193	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rselam.cat	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe

File dropped: C:\Program Files\McAfee\Temp2225664224\jslang\eula-en-US.txt -> encryption key for your account secure because without them you may lose access to your data. you are solely responsible and liable for any activity that occurs under your account, including by anyone who uses your account. if there is any unauthorized use or access to your account, you must let us know immediately. we are not responsible for any loss caused by unauthorized use of or access to your account; however, you may be liable for any losses we or others suffer because of the unauthorized use. we do not have access to master passwords and cannot recover your encrypted data if you forget the master password for any password management feature or product. we offer both free and premium versions of our password and identity management software, and the free versions limit the maximum number of unique accounts (such as a website or application login) that you can store. if you have downloaded a premium version of the software at no cost during a promotion, then when the promotional period ends you will not

Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\Downloads\faststone-capture.exe entropy: 7.99887313945	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\WebAdvisor.png (copy) entropy: 7.99120652795	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\faststone-capture.exe (copy) entropy: 7.99887313945	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1 (copy) entropy: 7.99597518735	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip (copy) entropy: 7.99597518735	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe entropy: 7.99155381417	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources.pak entropy: 7.99695642031	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\electron.7z entropy: 7.99999530372	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z entropy: 7.99998027025	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\analyticsmanager.cab entropy: 7.99969718002	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\browserhost.cab entropy: 7.99956002522	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\browserplugin.cab entropy: 7.9992113156	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\eventmanager.cab entropy: 7.99964983393	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\logicmodule.cab entropy: 7.99972848758	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\mfw-webadvisor.cab entropy: 7.99454578965	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\mfw.cab entropy: 7.99684236756	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\servicehost.cab entropy: 7.99875012535	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\settingmanager.cab entropy: 7.9996134867	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\taskmanager.cab entropy: 7.99987398306	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\uihost.cab entropy: 7.99861464263	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\uimanager.cab entropy: 7.99954608112	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\uninstaller.cab entropy: 7.99961673943	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\updater.cab entropy: 7.99948483637	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\wssdep.cab entropy: 7.99935686224	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	File created: C:\Program Files\McAfee\WebAdvisor\e10ssaffplg.xpi entropy: 7.99707344308	Jump to dropped file

System Summary

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File dump: rsAppUI.exe.9.dr 177011072

Jump to dropped file

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B66220: GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,

6_2_00B66220

Contains functionality to delete services

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 10_2_00007FF6B47C5910 RegCreateKeyExW,RegCloseKey,OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

10_2_00007FF6B47C5910

Contains functionality to launch a process as a different user

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 10_2_00007FF6B47EEBA0 WTSGetActiveConsoleSessionId,ProcessIdToSessionId,OpenProcess,OpenProcessToken,CloseHandle,GetLastError,DuplicateTokenEx,CloseHandle,CreateProcessAsUserW,CloseHandle,WaitForSingleObject,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

10_2_00007FF6B47EEBA0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Downloads\faststone-capture.exe

Code function: 14_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

14_2_004035D8

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe

File created: C:\Windows\system32\drivers\rsCamFilter020502.sys

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Windows\system32\drivers\rsCamFilter020502.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Windows\system32\drivers\rsKernelEngine.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Windows\system32\drivers\rsElam.sys

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B68FB0	6_2_00B68FB0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B64F50	6_2_00B64F50
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B670D9	6_2_00B670D9
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B6F110	6_2_00B6F110
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B873B0	6_2_00B873B0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9D540	6_2_00B9D540
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA1840	6_2_00BA1840
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B83AC0	6_2_00B83AC0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9FFE0	6_2_00B9FFE0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B98190	6_2_00B98190
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA83A0	6_2_00BA83A0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9A540	6_2_00B9A540
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B4A610	6_2_00B4A610
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE8609	6_2_00BE8609
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BB0660	6_2_00BB0660
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA47C0	6_2_00BA47C0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA28A0	6_2_00BA28A0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BF68E0	6_2_00BF68E0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BF0992	6_2_00BF0992
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD0919	6_2_00BD0919
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BF0AB2	6_2_00BF0AB2
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B42B00	6_2_00B42B00
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD0B4B	6_2_00BD0B4B
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD0DB0	6_2_00BD0DB0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BCADD0	6_2_00BCADD0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA6D43	6_2_00BA6D43
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B78EA0	6_2_00B78EA0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B4CF40	6_2_00B4CF40
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9F150	6_2_00B9F150
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B8D2C0	6_2_00B8D2C0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD933A	6_2_00BD933A
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BDB340	6_2_00BDB340
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE14AF	6_2_00BE14AF
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BAB4F0	6_2_00BAB4F0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B45400	6_2_00B45400
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA7602	6_2_00BA7602
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BED8E0	6_2_00BED8E0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B4F830	6_2_00B4F830
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD390B	6_2_00BD390B
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA3A30	6_2_00BA3A30
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B7FB40	6_2_00B7FB40
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B6BCB0	6_2_00B6BCB0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B73C50	6_2_00B73C50
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B47D10	6_2_00B47D10
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47C7F40	10_2_00007FF6B47C7F40
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47C5910	10_2_00007FF6B47C5910
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B481ECF0	10_2_00007FF6B481ECF0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4841614	10_2_00007FF6B4841614
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47D8D50	10_2_00007FF6B47D8D50
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482BD60	10_2_00007FF6B482BD60
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47CB730	10_2_00007FF6B47CB730
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482A660	10_2_00007FF6B482A660
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4846E94	10_2_00007FF6B4846E94
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47D7EB0	10_2_00007FF6B47D7EB0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482D02C	10_2_00007FF6B482D02C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B484FF94	10_2_00007FF6B484FF94
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4836A40	10_2_00007FF6B4836A40
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47CF8E0	10_2_00007FF6B47CF8E0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482C0E4	10_2_00007FF6B482C0E4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B483E8E4	10_2_00007FF6B483E8E4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4847110	10_2_00007FF6B4847110
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4842128	10_2_00007FF6B4842128
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4843130	10_2_00007FF6B4843130
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B483A840	10_2_00007FF6B483A840
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47ED060	10_2_00007FF6B47ED060
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482A864	10_2_00007FF6B482A864
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B483B87C	10_2_00007FF6B483B87C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482B9C8	10_2_00007FF6B482B9C8
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47CA1D0	10_2_00007FF6B47CA1D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B48371F4	10_2_00007FF6B48371F4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47F3220	10_2_00007FF6B47F3220
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47D3950	10_2_00007FF6B47D3950
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4834970	10_2_00007FF6B4834970
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B483DA4C	10_2_00007FF6B483DA4C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B484FA48	10_2_00007FF6B484FA48
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482A250	10_2_00007FF6B482A250
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482AA70	10_2_00007FF6B482AA70
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4841AA8	10_2_00007FF6B4841AA8
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B484DAAC	10_2_00007FF6B484DAAC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4836BD4	10_2_00007FF6B4836BD4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482CBF4	10_2_00007FF6B482CBF4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482D430	10_2_00007FF6B482D430
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47F7390	10_2_00007FF6B47F7390
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47EEBA0	10_2_00007FF6B47EEBA0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47C9440	10_2_00007FF6B47C9440
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482A454	10_2_00007FF6B482A454
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482AC74	10_2_00007FF6B482AC74
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE1330	13_2_00007FF7F9EE1330
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EEA634	13_2_00007FF7F9EEA634
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EF3098	13_2_00007FF7F9EF3098
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EEBB3C	13_2_00007FF7F9EEBB3C
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00406C5B	14_2_00406C5B
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_0040CDD5	16_2_0040CDD5
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00418810	16_2_00418810
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_004030CF	16_2_004030CF
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00411129	16_2_00411129
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00414B30	16_2_00414B30
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00417420	16_2_00417420
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_004144D0	16_2_004144D0
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00419D01	16_2_00419D01
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00419DDB	16_2_00419DDB
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00416E09	16_2_00416E09
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Code function: 22_2_00007FFD9BAA11C0	22_2_00007FFD9BAA11C0
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Code function: 22_2_00007FFD9BAA128D	22_2_00007FFD9BAA128D

Enables security privileges

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF6B47C2350 appears 65 times
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF6B47DE860 appears 63 times
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: String function: 004031E3 appears 37 times
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: String function: 004197D0 appears 119 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC85BF appears 56 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC8E31 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00B51BE0 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC9600 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00B88650 appears 192 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC8713 appears 374 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC8DFE appears 111 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BE4231 appears 31 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7508 -ip 7508

PE file contains executable resources (Code or Archives)

Source: faststone-capture_voLss-1.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: installer.exe.6.dr	Static PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 24653488 bytes, 137 files, at 0x2c +A "analyticsmanager.cab" +A "analyticstelemetry.cab", number 1, 895 datablocks, 0x1 compression

Sample file is different than original file name gathered from version info

Source: faststone-capture_voLss-1.exe, 00000000.00000000.1722385220.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs faststone-capture_voLss-1.exe
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs faststone-capture_voLss-1.exe
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs faststone-capture_voLss-1.exe
Source: faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.0000000002368000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs faststone-capture_voLss-1.exe

Searches the installation path of Mozilla Firefox

Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\118.0.1 (x64 en-US)\Main Install Directory

Uses 32bit PE files

Source: faststone-capture_voLss-1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

query blbeacon for getting browser version

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version	Jump to behavior
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version

Source: classification engine

Classification label: mal54.rans.phis.troj.spyw.evad.winEXE@112/2330@0/49

Source: C:\Users\user\Downloads\faststone-capture.exe

14_2_004035D8

Source: C:\Users\user\Downloads\faststone-capture.exe

Code function: 14_2_00404983 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

14_2_00404983

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: GetModuleFileNameW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,RegisterServiceCtrlHandlerExW,SetServiceStatus,CreateEventW,GetLastError,SetServiceStatus,SetServiceStatus,WaitForSingleObject,CloseHandle,SetServiceStatus,

10_2_00007FF6B47C7F40

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B54C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_00B54C8E

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B55C1E CoCreateInstance,OleRun,

6_2_00B55C1E

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B75318 GetModuleHandleW,FindResourceW,LoadResource,LockResource,std::ios_base::_Ios_base_dtor,GetModuleHandleW,GetProcAddress,GetCurrentProcess,Concurrency::cancel_current_task,Concurrency::cancel_current_task,SysFreeString,SysFreeString,

6_2_00B75318

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 10_2_00007FF6B47C7F40 GetModuleFileNameW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,RegisterServiceCtrlHandlerExW,SetServiceStatus,CreateEventW,GetLastError,SetServiceStatus,SetServiceStatus,WaitForSingleObject,CloseHandle,SetServiceStatus,

10_2_00007FF6B47C7F40

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47C5910

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File created: C:\Program Files\ReasonLabs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5468:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_rsStubExecute
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b8902f1a-2cf8-4fb6-b445-6b15e94cdf19}Installer
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe	Mutant created: \Sessions\1\BaseNamedObjects\FSCapture
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7508
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2740:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{b8902f1a-2cf8-4fb6-b445-6b15e94cdf19}Installer
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7112:120:WilError_03

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe

File created: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp

Jump to behavior

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7180
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%ReasonEDR%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%VPN%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7180
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'rsAppUI.exe' AND CommandLine Like '%VPN%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%DNS%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%ReasonEDR%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%VPN%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7180
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'rsAppUI.exe' AND CommandLine Like '%DNS%'
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%VPN%'
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7924
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'rsAppUI.exe' AND CommandLine Like '%EPP%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fheoggkfdfchfphceeifdbepaooicaho%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%klekeajafkkpokaofllcadenjdckhinm%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%klekeajafkkpokaofllcadenjdckhinm%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fheoggkfdfchfphceeifdbepaooicaho%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fdhgeoginicibhagdmblfikbgbkahibd%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

Source: faststone-capture_voLss-1.exe	ReversingLabs: Detection: 45%
Source: faststone-capture_voLss-1.exe	Virustotal: Detection: 36%

Source: installer.exe	String found in binary or memory: wa-install.html
Source: installer.exe	String found in binary or memory: wa-ui-install.js
Source: installer.exe	String found in binary or memory: wa-install.css
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-it-IT.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ja-JP.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-hu-HU.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fr-FR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-hr-HR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fr-CA.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fi-FI.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-es-ES.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-es-MX.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-en-US.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-el-GR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-da-DK.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-de-DE.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-cs-CZ.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-zh-TW.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-tr-TR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-zh-CN.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sv-SE.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sr-Latn-CS.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ru-RU.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sk-SK.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pt-PT.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pt-BR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-nl-NL.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pl-PL.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-nb-NO.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ko-KR.js

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe

File read: C:\Users\user\Desktop\faststone-capture_voLss-1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\faststone-capture_voLss-1.exe "C:\Users\user\Desktop\faststone-capture_voLss-1.exe"
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp "C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp" /SL5="$10480,1583351,832512,C:\Users\user\Desktop\faststone-capture_voLss-1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\gngnwua3.exe "C:\Users\user\AppData\Local\Temp\gngnwua3.exe" /silent
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /silent
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
Source: unknown	Process created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe "C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\Downloads\faststone-capture.exe "C:\Users\user\Downloads\faststone-capture.exe"
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://en.download.it/?typ=1
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe "C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1872,i,3259608967956650124,12905320349364602132,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7508 -ip 7508
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7508 -ip 7508
Source: unknown	Process created: C:\Program Files (x86)\FastStone Capture\FSCapture.exe "C:\Program Files (x86)\FastStone Capture\FSCapture.exe"
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	Process created: C:\Program Files\McAfee\Temp2225664224\installer.exe "C:\Program Files\McAfee\Temp2225664224\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
Source: unknown	Process created: C:\Program Files\McAfee\WebAdvisor\servicehost.exe "C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\uihost.exe "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\updater.exe "C:\Program Files\McAfee\WebAdvisor\updater.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\wevtutil.exe
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp "C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp" /SL5="$10480,1583351,832512,C:\Users\user\Desktop\faststone-capture_voLss-1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100" -i -v -d -se=true	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\Downloads\faststone-capture.exe "C:\Users\user\Downloads\faststone-capture.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://en.download.it/?typ=1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\gngnwua3.exe "C:\Users\user\AppData\Local\Temp\gngnwua3.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10	Jump to behavior
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe "C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1872,i,3259608967956650124,12905320349364602132,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7508 -ip 7508
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7508 -ip 7508
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\wevtutil.exe
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	Process created: C:\Program Files\McAfee\Temp2225664224\installer.exe "C:\Program Files\McAfee\Temp2225664224\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\uihost.exe "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\updater.exe "C:\Program Files\McAfee\WebAdvisor\updater.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: apphelp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: urlmon.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: powrprof.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: iertutil.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: srvcli.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: msasn1.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: umpdc.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: urlmon.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: powrprof.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: iertutil.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: srvcli.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: msasn1.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: umpdc.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: wldp.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: apphelp.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: riched20.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: usp10.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: msls31.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: sxs.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: apphelp.dll

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File written: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: Run
Source: C:\Users\user\Downloads\faststone-capture.exe	Automated click: Next >
Source: C:\Users\user\Downloads\faststone-capture.exe	Automated click: I Agree
Source: C:\Users\user\Downloads\faststone-capture.exe	Automated click: Install

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Window detected: HYPERLINK "https://cassinilabs.com/privacy-policy/" End User License AgreementHYPERLINK "https://cassinilabs.com/privacy-policy/" Privacy PolicyThis will download FastStone Capture to your computer click "Next" to continue.A versatile tool for capturing and editing screenshots...Welcome to FastStone Capture Download Manager&NextCancel
Source: C:\Users\user\Downloads\faststone-capture.exe	Window detected: < &BackI &AgreeCancelwww.FastStone.org www.FastStone.orgLicense AgreementPlease review the license terms before installing FastStone Capture 9.7.Press Page Down to see the rest of the agreement.Please read the following terms and conditions carefully before using FastStone Capture. Use of FastStone Capture indicates you accept the terms of this license agreement and warranty.1. Disclaimer of WarrantyFastStone Capture (this software) is provided "as-is" and without warranty of any kind express implied or otherwise including without limitation any warranty of merchantability or fitness for a particular purpose. In no event shall the author of this software be held liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.2. LicenseFastStone Capture is shareware. You may try it free for 30 days. Once this 30-day period has expired you must either purchase a license to use this software or uninstall it from your computer promptly.3. Restrictions on Use FastStone Capture must not be decompiled disassembled reverse engineered or otherwise modified. Copyright (C) 2021 FastStone Corporation. All rights reserved.If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install FastStone Capture 9.7.

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_100_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_200_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\icudtl.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\LICENSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\LICENSES.chromium.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\af.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\am.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ar.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\bg.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\bn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ca.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\cs.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\da.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\de.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\el.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\en-GB.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\en-US.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es-419.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\et.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fa.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fil.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\gu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\he.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\id.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\it.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ja.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\kn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ko.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lt.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ml.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\mr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ms.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nb.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pt-BR.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pt-PT.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ro.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ru.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sw.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ta.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\te.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\th.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\tr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\uk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ur.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\vi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-CN.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-TW.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\snapshot_blob.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\v8_context_snapshot.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\version	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader_icd.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libEGL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libGLESv2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Signatures.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\WhiteList.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\7zarm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\ext_arm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\lz4_arm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsYara-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\VPN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\VPN\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\manifest.json
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsExtensionHost.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\SecurityProductInformation.ini
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Signatures.dat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.sig
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\manifest.json
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\WhiteList.dat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\7zarm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\ext_arm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\lz4_arm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsCamFilter020502.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsJournal-ARM64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsYara-ARM64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\SQLite.Interop.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\BouncyCastle.Crypto.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Dia2Lib.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msvcp140.dll

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP

Jump to behavior

Source: faststone-capture_voLss-1.exe

Static PE information: certificate valid

Source: faststone-capture_voLss-1.exe

Static file information: File size 2522504 > 1048576

Source: faststone-capture_voLss-1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: rsAtom.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\linoy\Documents\GitHub\zbShield-Utils-CPP\zbShieldUtils\bin\Release\Helper.pdb source: faststone-capture_voLss-1.tmp, 00000001.00000003.2197108227.0000000007670000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\System.Data.SQLite\System.Data.SQLite\obj\2022\System.Data.SQLite\Release\System.Data.SQLite.pdb\ source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsTime\rsTime\rsTime\obj\Release\net462\rsTime.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 0000000A.00000000.2180936055.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000A.00000002.2182546062.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000C.00000000.2181750319.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\ArchiveUtility\ArchiveUtility\Reason.ArchiveUtility\bin\ARM64\Release\Reason.ArchiveUtility-ARM64.pdb source: gngnwua3.exe, 00000007.00000003.2156690263.0000000002360000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2156743744.0000000000640000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsTime\rsTime\rsTime\obj\Release\net462\rsTime.pdbT,n, `,_CorDllMainmscoree.dll source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsDatabase.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\ArchiveUtility\ArchiveUtility\Reason.ArchiveUtility\bin\x64\Release\Reason.ArchiveUtility-x64.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb$1>1 01_CorExeMainmscoree.dll source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\UnifiedStub\obj\Release\UnifiedStub.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: rsLogger.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubRunner\rsStubRunner\bin\Release\x64\rsStubRunner.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000000.2189538132.00007FF7F9EF5000.00000002.00000001.01000000.00000013.sdmp, Uninstall.exe, 0000000D.00000002.2211732158.00007FF7F9EF5000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 0000000A.00000000.2180936055.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000A.00000002.2182546062.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000C.00000000.2181750319.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: rsLogger.pdbx source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\System.Data.SQLite\System.Data.SQLite\obj\2022\System.Data.SQLite\Release\System.Data.SQLite.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: is-50JKG.tmp.1.dr

Static PE information: 0xD49AEFA9 [Mon Jan 11 20:08:09 2083 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B92B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,

6_2_00B92B30

PE file contains an invalid checksum

Source: UnifiedStub.resources.dll12.7.dr	Static PE information: real checksum: 0x0 should be: 0x10d96
Source: gngnwua3.exe.5.dr	Static PE information: real checksum: 0x27097a should be: 0x26ca18
Source: UnifiedStub.resources.dll7.7.dr	Static PE information: real checksum: 0x0 should be: 0xd4e3
Source: is-50JKG.tmp.1.dr	Static PE information: real checksum: 0x14f88 should be: 0x12390
Source: UnifiedStub.resources.dll1.7.dr	Static PE information: real checksum: 0x0 should be: 0x8ede
Source: UnifiedStub.resources.dll4.7.dr	Static PE information: real checksum: 0x0 should be: 0xadc3
Source: UnifiedStub.resources.dll10.7.dr	Static PE information: real checksum: 0x0 should be: 0x4b7d
Source: Helper.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x205ce6
Source: UnifiedStub.resources.dll2.7.dr	Static PE information: real checksum: 0x0 should be: 0x7e30
Source: UnifiedStub.resources.dll5.7.dr	Static PE information: real checksum: 0x0 should be: 0x546f
Source: UnifiedStub.resources.dll8.7.dr	Static PE information: real checksum: 0x0 should be: 0x7c21
Source: UnifiedStub.resources.dll0.7.dr	Static PE information: real checksum: 0x0 should be: 0x5d2e
Source: UnifiedStub.resources.dll3.7.dr	Static PE information: real checksum: 0x0 should be: 0x4a58
Source: UnifiedStub.resources.dll6.7.dr	Static PE information: real checksum: 0x0 should be: 0x8e08
Source: UnifiedStub.resources.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x10c6c
Source: UnifiedStub.resources.dll9.7.dr	Static PE information: real checksum: 0x0 should be: 0xdf6c
Source: UnifiedStub.resources.dll11.7.dr	Static PE information: real checksum: 0x0 should be: 0x96ff

PE file contains sections with non-standard names

Source: faststone-capture_voLss-1.exe	Static PE information: section name: .didata
Source: faststone-capture_voLss-1.tmp.0.dr	Static PE information: section name: .didata
Source: saBSI.exe.1.dr	Static PE information: section name: .didat
Source: gngnwua3.exe.5.dr	Static PE information: section name: .sxdata
Source: installer.exe.6.dr	Static PE information: section name: _RDATA

Registers a DLL

Source: C:\Program Files\McAfee\Temp2225664224\installer.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Code function: 1_2_00190898 pushfd ; retf	1_2_0019089B
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Code function: 1_2_0018FA69 push FFFFFFC2h; iretd	1_2_0018FA6B
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Code function: 1_2_00190D6D push es; iretd	1_2_00190D6F
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Code function: 1_2_00191263 push 00000057h; retf	1_2_0019126B
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BC8DDB push ecx; ret	6_2_00BC8DEE
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BF7CFD push ecx; ret	6_2_00BF7D12
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00419800 push eax; ret	16_2_0041982E
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_004197D0 push eax; ret	16_2_004197EE
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Code function: 22_2_00007FFD9BAA5536 push cs; retf	22_2_00007FFD9BAA5539

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\uninstall-epp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\ShellExecAsUser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\VPN\Uninstall.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ARM64\Reason.ArchiveUtility-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\YASXK9IJ\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsStubLib.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	File created: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\zh-CN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\LULGB13J\rsAtom.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\3YWFLCQ0\rsLogger.DLL	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsYara-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSRecorder.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\ext_arm64.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSFocus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCapture.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ARM64\Reason.ArchiveUtility-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\lz4_arm64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsSyncSvc.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\uninst.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\zh-CN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-epp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\Stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\Downloads\faststone-capture.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCIcon.db	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\7zarm64.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\is-50JKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\is-HPQLI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\faststone-capture.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin01.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\msdia140.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	File created: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\uninstall-epp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\1CPSKOY1\rsJSON.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0 (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\sk-SK\UnifiedStub.resources.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe

File created: C:\Windows\System32\drivers\rsElam.sys (copy)

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCIcon.db	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnifiedStub-installer.exe.log

Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-cs-CZ.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-da-DK.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-de-DE.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-el-GR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-en-US.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-es-ES.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-es-MX.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fi-FI.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fr-CA.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fr-FR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-hr-HR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-hu-HU.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-it-IT.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ja-JP.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ko-KR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-nb-NO.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-nl-NL.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pl-PL.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pt-BR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pt-PT.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ru-RU.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sk-SK.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sr-Latn-CS.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sv-SE.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-tr-TR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-zh-CN.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-zh-TW.txt

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\rundll32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Microsoft.Win32.TaskScheduler.dll
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Microsoft.Win32.TaskScheduler.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Win32.TaskScheduler.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rsCamFilter020502

Stores files to the Windows start menu directory

Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\FastStone Capture.lnk
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\FastStone Capture Help.lnk
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\Visit www.FastStone.org.lnk
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\Uninstall FastStone Capture.lnk

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47C7F40

Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File opened: C:\Program Files\ReasonLabs\EPP\Uninstall.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File opened: C:\Program Files\ReasonLabs\VPN\Uninstall.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File opened: C:\Program Files\ReasonLabs\EPP\Uninstall.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File opened: C:\Program Files\ReasonLabs\EPP\133736644726034605\Uninstall.exe:Zone.Identifier read attributes \| delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B80540 EnterCriticalSection,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LeaveCriticalSection,

6_2_00B80540

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\faststone-capture.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\faststone-capture.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Memory allocated: 259639F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Memory allocated: 2597D490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Memory allocated: 1E0C9FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Memory allocated: 1E0E3CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Memory allocated: 1D88AAA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Memory allocated: 1D8A4380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Memory allocated: 171A85D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Memory allocated: 171C0700000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085670000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1D8854A0000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1D8854C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085D00000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085D40000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E095ED0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E095F50000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E096090000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E0969E0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085DA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085DE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E096070000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E0960D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E0960F0000 memory commit \| memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B54C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_00B54C8E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Window / User API: threadDelayed 7276	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Window / User API: threadDelayed 2544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Window / User API: threadDelayed 6183	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Window / User API: threadDelayed 3601	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Window / User API: threadDelayed 2432
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Window / User API: threadDelayed 7365

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.sys	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\taskmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XPath.XDocument.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsTime.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\ShellExecAsUser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\VPN\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClientSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.SecureString.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Tasks.Parallel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Collections.NonGeneric.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Extension.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Camera.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Text.RegularExpressions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\ext_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Resources.Reader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\PLWH8YLO\rsTime.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.ThreadPool.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Globalization.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ARM64\Reason.ArchiveUtility-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\BXIH37RF\rsLogger.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.BTScan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Bcl.HashCode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\UJOTG38L\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Sockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\YASXK9IJ\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\7zarm64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Edr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Principal.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsLitmus.S.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XmlSerializer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\EPP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\U6HCGN11\Newtonsoft.Json.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsAssistant.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.NameResolution.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Linq.Queryable.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Contracts.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.Browsers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\OSExtensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.CompilerServices.VisualC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Needle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Console.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Tools.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.TypeConverter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.Compression.ZipFile.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Collections.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Encoding.dll (copy)	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsPerformance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Dynamic.Runtime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Tasks.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnDemand.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Reflection.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\OSExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\LULGB13J\rsAtom.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\3YWFLCQ0\rsLogger.DLL	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\rsYara-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Ping.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\amd64\vcruntime140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\uimanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Ransomware.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Self.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSRecorder.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\ext_arm64.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSFocus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.UDI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Globalization.Calendars.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Quarantine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Formatters.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Detections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Timer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ARM64\Reason.ArchiveUtility-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.ReaderWriter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsAtom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\logicmodule.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\lz4_arm64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Tracing.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\rsYara-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\netstandard.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.CompilerServices.Unsafe.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Overlapped.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Csp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Linq.Parallel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\win32\wssdep.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\lz4_arm64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Updater.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsCamilla.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsJSON.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Algorithms.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\uninst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.DriveInfo.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Reflection.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Claims.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Performance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsFrame.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\9990JN8Z\rsAtom.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\ext_arm64.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.AppContext.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\amd64\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\uninstaller.exe	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\settingmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebHeaderCollection.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.InteropServices.RuntimeInformation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.NetworkInformation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\TraceReloggerLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Process.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsLitmus.A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebSockets.Client.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libGLESv2.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	API coverage: 7.1 %
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp TID: 7604	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp TID: 7576	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe TID: 8020	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe TID: 8020	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe TID: 8024	Thread sleep count: 7276 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe TID: 8024	Thread sleep count: 2544 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 7292	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 7288	Thread sleep count: 6183 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 7288	Thread sleep count: 3601 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 1460	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 1460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4820	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe TID: 7776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe TID: 5500	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe TID: 5500	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe TID: 5624	Thread sleep count: 2432 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe TID: 3344	Thread sleep count: 7365 > 30
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe TID: 7696	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\faststone-capture.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation

Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EEBB3C FindFirstFileExW,	13_2_00007FF7F9EEBB3C
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	14_2_00405C4E
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_0040689A FindFirstFileW,FindClose,	14_2_0040689A
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00402902 FindFirstFileW,	14_2_00402902
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00404EC1 FindFirstFileW,	16_2_00404EC1

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BB2782 VirtualQuery,GetSystemInfo,

6_2_00BB2782

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Microsoft\\Windows\\CurrentVersion\\Uninstall\\^Opera"],"cp":"https://www.opera.com/he/privacy","ctu":"https://www.opera.com/he/eula/computers","ov":100,"cbfo":true,"pv":"1.34","v":3,"x":3}},{"ad":{"n":"","f":"ZB_WinZip","o":"Winzip19"},"ps":{"dn":"WinZip","i":"WinZip/images/905/EN.png","u":"WinZip/files/1292/winzip28-dci5.zip","p":"/qn","c":"reg","r":["Nico Mak Computing\\WinZip"],"cp":"https://www.winzip.com/win/en/privacy.html","ctu":"https://www.winzip.com/win/en/eula.html","win64":true,"ov":100,"cbfo":true,"pv":"1.23","v":6}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast","o":"AVAST"},"ps":{"i":"AVAST/images/DOTPS-1511/547X280/EN.png","dn":"Avast Antivirus","u":"AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip","p":"/silent /ws /psh:{pxl}","rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"r":["AVAST Software\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVG Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1","WebBar","WebDiscoverBrowser","AVG\\Antivirus\\Version","AVG\\AV\\Dir"],"a":["AvastSvc","instup","AvastUI","AVGUI","avguix","AVGSvc","avgsvca"],"ctu":"https://www.avast.com/eula-avast-consumer-products","cp":"https://www.avast.com/privacy-policy","ov":61,"cbfo":true,"avauc":true,"avur":"AvUninstallTimestamp","pv":"1.29","x":12,"disk":2560,"ram":256,"iapp":["chrome.exe"],"v":1}},{"ad":{"n":"","f":"ZB_TotalSecurity_V4","o":"TotalSecurity_AV"},"ps":{"i":"TotalSecurity_AV/images/1127/V4/EN.png","dn":"360 Total Security","u":"TotalSecurity_AV/files/1127/ts360Setup.zip","p":"/s","r":["Microsoft\\Windows\\CurrentVersion\\Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv":"1.26","cbfo":true,"v":1}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast_NCH","o":"Avast_NCH"},"ps":{"i":"AVAST/images/DOTPS-1511/547X280/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH=
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.G;
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000832000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000832000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000827000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2158917863.0000000003230000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2158917863.0000000003230000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg

Source: C:\Users\user\Downloads\faststone-capture.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Windows\System32\runonce.exe	System information queried: CodeIntegrityInformation
Source: C:\Windows\System32\grpconv.exe	System information queried: CodeIntegrityInformation

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Windows\System32\runonce.exe

System information queried: KernelDebuggerInformation

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BE70B4 IsDebuggerPresent,OutputDebugStringW,

6_2_00BE70B4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B65204 RegOpenKeyExW,RegQueryValueExW,SetLastError,RegCloseKey,RegCloseKey,GetLastError,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,LoadLibraryExW,GetLastError,

6_2_00B65204

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B54C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_00B54C8E

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BF7BC0 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

6_2_00BF7BC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B92B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,

6_2_00B92B30

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BDE8FE mov eax, dword ptr fs:[00000030h]	6_2_00BDE8FE
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE7CAE mov eax, dword ptr fs:[00000030h]	6_2_00BE7CAE
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE7CF2 mov eax, dword ptr fs:[00000030h]	6_2_00BE7CF2
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE7C6A mov eax, dword ptr fs:[00000030h]	6_2_00BE7C6A
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE7D23 mov eax, dword ptr fs:[00000030h]	6_2_00BE7D23

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B5463F GetProcessHeap,

6_2_00B5463F

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BC9018 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00BC9018
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BC93F2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00BC93F2
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BCD453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00BCD453
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BC9586 SetUnhandledExceptionFilter,	6_2_00BC9586
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B48232D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF6B48232D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482EC7C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FF6B482EC7C
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE92DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF7F9EE92DC
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE4200 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00007FF7F9EE4200
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE411C SetUnhandledExceptionFilter,	13_2_00007FF7F9EE411C
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE3F78 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF7F9EE3F78

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\runonce.exe base: 1F38A9E0000 protect: page read and write
Source: C:\Windows\System32\runonce.exe	Memory allocated: C:\Windows\System32\grpconv.exe base: 28D1F6A0000 protect: page read and write

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\runonce.exe base: 1F38A9E0000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\runonce.exe base: ADFE50E2D8
Source: C:\Windows\System32\runonce.exe	Memory written: C:\Windows\System32\grpconv.exe base: 28D1F6A0000
Source: C:\Windows\System32\runonce.exe	Memory written: C:\Windows\System32\grpconv.exe base: ED098F62D8

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100" -i -v -d -se=true	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\Downloads\faststone-capture.exe "C:\Users\user\Downloads\faststone-capture.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://en.download.it/?typ=1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\gngnwua3.exe "C:\Users\user\AppData\Local\Temp\gngnwua3.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7508 -ip 7508
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7508 -ip 7508
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\wevtutil.exe
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-4ku9h.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-4ku9h.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100" -i -v -d -se=true			Jump to behavior

Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp, faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SHELL_TRAYWND
Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp, faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndU
Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROGMAN
Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SHELL_TRAYWNDU

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BC9215 cpuid

6_2_00BC9215

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_00BE45DA
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00BEC9ED
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00BEC907
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00BEC952
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_00BECA80
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_00BECCE0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00BECE06
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00BECFDB
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_00BECF0C
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoEx,	6_2_00BC7E28
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00BE3F6D
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,	10_2_00007FF6B48223AC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	10_2_00007FF6B484CDD4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: _invalid_parameter_noinfo_noreturn,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetCurrentProcess,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	10_2_00007FF6B47D8D50
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	10_2_00007FF6B4840580
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	10_2_00007FF6B484CEA4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,	10_2_00007FF6B47DA1D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_00007FF6B484D2DC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,	10_2_00007FF6B47F0300
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoW,	10_2_00007FF6B4840B18
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	10_2_00007FF6B484CA78
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_00007FF6B484D4C0

Queries the product ID of Windows

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\loader.gif VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\mainlogo.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\RAV_Cross.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\WebAdvisor.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\finish.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsStubLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Microsoft.Win32.TaskScheduler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\dl3\83045e6a\f22e8fd7_7ce2da01\rsStubLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsJSON.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\dl3\3279713d\e5e93253_1816db01\rsJSON.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsLogger.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\dl3\560cc5c9\bf374153_1816db01\rsLogger.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsAtom.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\dl3\2a4e26eb\c3de1452_1816db01\rsAtom.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsTime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsLogger.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Microsoft.Win32.TaskScheduler.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\8fad615d\f22e8fd7_7ce2da01\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsJSON.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\323c826f\c15f89b8_1816db01\rsJSON.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsLogger.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\7c1d608a\dc4b95b8_1816db01\rsLogger.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsAtom.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\bc430c3e\6eb97cb6_1816db01\rsAtom.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsTime.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\71b8cdb8\af99a3b8_1816db01\rsTime.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\ecdbbd26\813154b6_1816db01\Newtonsoft.Json.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsServiceController.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\79fde9ce\e7d49eb8_1816db01\rsServiceController.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Queries time zone information

Source: C:\Windows\System32\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BE4619 GetSystemTimeAsFileTime,

6_2_00BE4619

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 10_2_00007FF6B4846E94 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

10_2_00007FF6B4846E94

Source: C:\Users\user\Downloads\faststone-capture.exe

14_2_004035D8

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 22.2.UnifiedStub-installer.exe.1d88ab00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e05c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e48200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e25c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e22e00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e28200.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e42e00.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e45c00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e02e00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e20000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e08200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2300817369.000001D88AB02000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2309181808.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2278728649.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\QUUPOPSC\rsServiceController.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Detections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\BXIH37RF\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\3YWFLCQ0\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\9990JN8Z\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsCamilla.Runtime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\LULGB13J\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\1CPSKOY1\rsJSON.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Updater.dll, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File opened: C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 22.2.UnifiedStub-installer.exe.1d88ab00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e05c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e48200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e25c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e22e00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e28200.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e42e00.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e45c00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e02e00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e20000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e08200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2300817369.000001D88AB02000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2309181808.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2278728649.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\QUUPOPSC\rsServiceController.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Detections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\BXIH37RF\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\3YWFLCQ0\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\9990JN8Z\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsCamilla.Runtime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\LULGB13J\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\1CPSKOY1\rsJSON.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Updater.dll, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.224.189.107	unknown	United States	16509	AMAZON-02US	false
13.224.189.105	unknown	United States	16509	AMAZON-02US	false
95.101.149.131	unknown	European Union	20940	AKAMAI-ASN1EU	false
104.16.80.73	unknown	United States	13335	CLOUDFLARENETUS	false
104.22.57.224	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.185.142	unknown	United States	15169	GOOGLEUS	false
2.19.126.163	unknown	European Union	16625	AKAMAI-ASUS	false
104.22.56.224	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
13.89.179.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.95.41	unknown	United States	13335	CLOUDFLARENETUS	false
35.160.217.84	unknown	United States	16509	AMAZON-02US	false
216.58.206.46	unknown	United States	15169	GOOGLEUS	false
2.19.126.156	unknown	European Union	16625	AKAMAI-ASUS	false
18.173.205.4	unknown	United States	3	MIT-GATEWAYSUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.196	unknown	United States	15169	GOOGLEUS	false
2.19.126.150	unknown	European Union	16625	AKAMAI-ASUS	false
172.217.16.195	unknown	United States	15169	GOOGLEUS	false
142.250.185.74	unknown	United States	15169	GOOGLEUS	false
18.172.112.38	unknown	United States	3	MIT-GATEWAYSUS	false
18.66.102.77	unknown	United States	3	MIT-GATEWAYSUS	false
34.196.11.213	unknown	United States	14618	AMAZON-AESUS	false
52.42.13.151	unknown	United States	16509	AMAZON-02US	false
54.243.47.129	unknown	United States	14618	AMAZON-AESUS	false
104.18.94.41	unknown	United States	13335	CLOUDFLARENETUS	false
18.66.102.5	unknown	United States	3	MIT-GATEWAYSUS	false
95.168.168.24	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
74.125.206.84	unknown	United States	15169	GOOGLEUS	false
142.250.181.238	unknown	United States	15169	GOOGLEUS	false
142.250.185.163	unknown	United States	15169	GOOGLEUS	false
100.26.115.223	unknown	United States	14618	AMAZON-AESUS	false
199.232.214.172	unknown	United States	54113	FASTLYUS	false
52.222.214.108	unknown	United States	16509	AMAZON-02US	false
52.222.214.107	unknown	United States	16509	AMAZON-02US	false
104.102.49.42	unknown	United States	16625	AKAMAI-ASUS	false
104.16.79.73	unknown	United States	13335	CLOUDFLARENETUS	false
3.214.141.241	unknown	United States	14618	AMAZON-AESUS	false
216.58.206.65	unknown	United States	15169	GOOGLEUS	false
104.18.21.226	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.26.92	unknown	United States	13335	CLOUDFLARENETUS	false
20.189.173.22	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.164	unknown	United States	15169	GOOGLEUS	false
184.28.90.27	unknown	United States	16625	AKAMAI-ASUS	false
13.225.84.172	unknown	United States	16509	AMAZON-02US	false
204.79.197.203	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.7
192.168.2.4
127.0.0.1

AV Detection

Multi AV Scanner detection for submitted file

Source: faststone-capture_voLss-1.exe	ReversingLabs: Detection: 45%
Source: faststone-capture_voLss-1.exe	Virustotal: Detection: 36%			Perma Link

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BB14F0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CryptMsgGetParam,CertFreeCRLContext,CertFreeCRLContext,	6_2_00BB14F0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BB17A0 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptQueryObject,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,	6_2_00BB17A0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B65870 GetCurrentProcessId,GetCurrentThreadId,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,UuidCreate,UuidCreate,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	6_2_00B65870
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B66220 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,	6_2_00B66220
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9E610 CryptMsgClose,	6_2_00B9E610
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B667B0 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,	6_2_00B667B0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9EB60 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptQueryObject,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,	6_2_00B9EB60
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9F150 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertFreeCRLContext,	6_2_00B9F150
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9F3C0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertGetNameStringW,CertGetNameStringW,CertGetCertificateChain,CertFreeCertificateChain,CertFreeCertificateChain,CertVerifyCertificateChainPolicy,CertFreeCertificateChain,CertFreeCRLContext,CertFreeCRLContext,	6_2_00B9F3C0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47C14A0 CryptQueryObject,GetLastError,CryptMsgGetParam,GetLastError,LocalAlloc,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,CertGetNameStringW,CertGetNameStringW,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	10_2_00007FF6B47C14A0

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

EXE: C:\Users\user\Downloads\faststone-capture.exe

Jump to behavior

Phishing

AI detected phishing page

Source: https://en.download.it/?typ=1	LLM: Score: 9 Reasons: The brand 'CLOUDFLARE' is well-known and typically associated with the domain 'cloudflare.com'., The URL 'en.download.it' does not match the legitimate domain name for Cloudflare., The domain 'download.it' is unrelated to Cloudflare and could be used to mislead users., The use of a generic domain like '.it' and the presence of 'download' in the URL are suspicious and not typical for Cloudflare's services., There is no clear association between the brand 'CLOUDFLARE' and the provided URL. DOM: 0.2.pages.csv
Source: https://en.download.it/?typ=1	LLM: Score: 8 Reasons: The brand 'CLOUDFLARE' is well-known and typically associated with the domain 'cloudflare.com'., The URL 'en.download.it' does not match the legitimate domain name for Cloudflare., The domain 'download.it' is unrelated to Cloudflare and could be used to mislead users., The use of a generic domain like 'download.it' is suspicious and not typically associated with Cloudflare's services., There is no clear indication that Cloudflare would use a domain like 'download.it' for any of its services. DOM: 0.17.pages.csv

HTML page contains hidden javascript code

Source: https://en.download.it/?typ=1

Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon
Source: https://en.download.it/?typ=1	HTTP Parser: No favicon

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

EXE: C:\Users\user\Downloads\faststone-capture.exe

Jump to behavior

Uses 32bit PE files

Source: faststone-capture_voLss-1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Window detected: HYPERLINK "https://cassinilabs.com/privacy-policy/" End User License AgreementHYPERLINK "https://cassinilabs.com/privacy-policy/" Privacy PolicyThis will download FastStone Capture to your computer click "Next" to continue.A versatile tool for capturing and editing screenshots...Welcome to FastStone Capture Download Manager&NextCancel
Source: C:\Users\user\Downloads\faststone-capture.exe	Window detected: < &BackI &AgreeCancelwww.FastStone.org www.FastStone.orgLicense AgreementPlease review the license terms before installing FastStone Capture 9.7.Press Page Down to see the rest of the agreement.Please read the following terms and conditions carefully before using FastStone Capture. Use of FastStone Capture indicates you accept the terms of this license agreement and warranty.1. Disclaimer of WarrantyFastStone Capture (this software) is provided "as-is" and without warranty of any kind express implied or otherwise including without limitation any warranty of merchantability or fitness for a particular purpose. In no event shall the author of this software be held liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.2. LicenseFastStone Capture is shareware. You may try it free for 30 days. Once this 30-day period has expired you must either purchase a license to use this software or uninstall it from your computer promptly.3. Restrictions on Use FastStone Capture must not be decompiled disassembled reverse engineered or otherwise modified. Copyright (C) 2021 FastStone Corporation. All rights reserved.If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install FastStone Capture 9.7.

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_100_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_200_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\icudtl.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\LICENSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\LICENSES.chromium.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\af.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\am.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ar.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\bg.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\bn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ca.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\cs.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\da.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\de.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\el.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\en-GB.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\en-US.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es-419.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\et.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fa.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fil.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\gu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\he.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\id.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\it.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ja.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\kn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ko.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lt.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ml.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\mr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ms.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nb.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pt-BR.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pt-PT.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ro.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ru.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sw.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ta.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\te.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\th.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\tr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\uk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ur.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\vi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-CN.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-TW.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\snapshot_blob.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\v8_context_snapshot.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\version	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader_icd.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libEGL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libGLESv2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Signatures.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\WhiteList.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\7zarm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\ext_arm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\lz4_arm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsYara-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\VPN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\VPN\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\manifest.json
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsExtensionHost.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\SecurityProductInformation.ini
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Signatures.dat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.sig
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\manifest.json
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\WhiteList.dat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\7zarm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\ext_arm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\lz4_arm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsCamFilter020502.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsJournal-ARM64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsYara-ARM64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\SQLite.Interop.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\BouncyCastle.Crypto.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Dia2Lib.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msvcp140.dll

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnifiedStub-installer.exe.log

Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-cs-CZ.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-da-DK.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-de-DE.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-el-GR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-en-US.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-es-ES.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-es-MX.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fi-FI.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fr-CA.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fr-FR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-hr-HR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-hu-HU.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-it-IT.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ja-JP.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ko-KR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-nb-NO.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-nl-NL.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pl-PL.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pt-BR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pt-PT.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ru-RU.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sk-SK.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sr-Latn-CS.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sv-SE.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-tr-TR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-zh-CN.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-zh-TW.txt

Source: faststone-capture_voLss-1.exe

Static PE information: certificate valid

Source: faststone-capture_voLss-1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: rsAtom.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\linoy\Documents\GitHub\zbShield-Utils-CPP\zbShieldUtils\bin\Release\Helper.pdb source: faststone-capture_voLss-1.tmp, 00000001.00000003.2197108227.0000000007670000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\System.Data.SQLite\System.Data.SQLite\obj\2022\System.Data.SQLite\Release\System.Data.SQLite.pdb\ source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsTime\rsTime\rsTime\obj\Release\net462\rsTime.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 0000000A.00000000.2180936055.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000A.00000002.2182546062.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000C.00000000.2181750319.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\ArchiveUtility\ArchiveUtility\Reason.ArchiveUtility\bin\ARM64\Release\Reason.ArchiveUtility-ARM64.pdb source: gngnwua3.exe, 00000007.00000003.2156690263.0000000002360000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2156743744.0000000000640000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsTime\rsTime\rsTime\obj\Release\net462\rsTime.pdbT,n, `,_CorDllMainmscoree.dll source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsDatabase.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\ArchiveUtility\ArchiveUtility\Reason.ArchiveUtility\bin\x64\Release\Reason.ArchiveUtility-x64.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb$1>1 01_CorExeMainmscoree.dll source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\UnifiedStub\obj\Release\UnifiedStub.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: rsLogger.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubRunner\rsStubRunner\bin\Release\x64\rsStubRunner.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000000.2189538132.00007FF7F9EF5000.00000002.00000001.01000000.00000013.sdmp, Uninstall.exe, 0000000D.00000002.2211732158.00007FF7F9EF5000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 0000000A.00000000.2180936055.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000A.00000002.2182546062.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000C.00000000.2181750319.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: rsLogger.pdbx source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\System.Data.SQLite\System.Data.SQLite\obj\2022\System.Data.SQLite\Release\System.Data.SQLite.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp

Spreading

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EEBB3C FindFirstFileExW,	13_2_00007FF7F9EEBB3C
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	14_2_00405C4E
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_0040689A FindFirstFileW,FindClose,	14_2_0040689A
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00402902 FindFirstFileW,	14_2_00402902
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00404EC1 FindFirstFileW,	16_2_00404EC1

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 16.3.Stub.exe.2e05c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e48200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e25c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e22e00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e28200.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e42e00.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e45c00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e02e00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e20000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e08200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000003.2309181808.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2278728649.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll, type: DROPPED

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47CF8E0

Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501322226.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003200000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2811242387.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxH
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B94000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501412990.0000000005B8A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810945355.0000000005B86000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501322226.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003200000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2811242387.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5dP
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5dQ
Source: saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabIeP
Source: saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabgeP
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000882000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dl.jalecdn.com/US/faststone-capture.exe
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dl.jalecdn.com/US/faststone-capture.exe2
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dl.jalecdn.com/US/faststone-capture.exee&oc=
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: faststone-capture.exe, 0000000E.00000000.2193307650.000000000040A000.00000008.00000001.01000000.00000014.sdmp, faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp, faststone-capture.exe, 0000000E.00000002.2477293815.000000000040A000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2811242387.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501322226.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505774684.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503441487.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003200000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B94000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501412990.0000000005B8A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810945355.0000000005B86000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: saBSI.exe, 00000006.00000003.2501412990.0000000005B87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B94000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501412990.0000000005B8A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810945355.0000000005B86000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com:80/cacert/codesigningrootr45.crt
Source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp, faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.00000000022A6000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.00000000075B6000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: faststone-capture.exe, 0000000E.00000002.2478459198.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.faststone.org
Source: saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502854904.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mcafee.com
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2169184053.0000000003247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/
Source: saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/N_
Source: saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/_
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/f_
Source: saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2158917863.0000000003224000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2169184053.0000000003247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record$
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record=
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordR&
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordS.O
Source: saBSI.exe, 00000006.00000003.2296177752.00000000032A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordcom
Source: saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/record
Source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/r
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.comor
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.qa.apis.mcafee.com
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://beta.reasonlabs.com/contact-us?prod=2&utm_source=vpn_uninstall&utm_medium=home_contact_suppo
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://beta.reasonlabs.com/contact-us?prod=3&utm_source=safer_web_uninstall_home&utm_medium=contact
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000882000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cassinilabs.com/privacy-policy/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1813052860.00000000053F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cassinilabs.com/privacy-policy/ent=true&oc=
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cassinilabs.com/privacy-policy/q
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000882000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.download.it/gen/faststone-capture-100x100.png
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.download.it/gen/faststone-capture-100x100.pngGC
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1813052860.00000000053F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.download.it/gen/faststone-capture-100x100.pngee05d667b5107239
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 0000000F.00000003.4086891220.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges-staging.cloudflare.com
Source: chrome.exe, 0000000F.00000003.4086891220.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com
Source: chrome.exe, 0000000F.00000003.4113159505.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/
Source: chrome.exe, 0000000F.00000003.4419609849.000007A8042B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4419491925.000007A804650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4419552616.000007A804CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4418612768.000007A80429C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4399585322.000007A80254C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/flow/ov1/299565161:1728015891:-zHfP
Source: chrome.exe, 0000000F.00000003.3883919812.000007A804AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/bcxkx/0
Source: chrome.exe, 0000000F.00000003.3707670073.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/c0zxi/0
Source: chrome.exe, 0000000F.00000003.3838113781.000007A803DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/du5vc/0
Source: chrome.exe, 0000000F.00000003.4113159505.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/j1c1g/0
Source: chrome.exe, 0000000F.00000003.4349826987.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4418612768.000007A80429C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4406741288.000007A80381C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4399585322.000007A80254C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/wngd1/0
Source: chrome.exe, 0000000F.00000003.3563511401.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086731265.000007A803FCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3853173169.000007A803F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086595305.000007A804BD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3853035697.000007A803FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086891220.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/turnstile/v0/g/ec4b873d446c/api.js?onload=Jeuhg1&render=explicit
Source: chrome.exe, 0000000F.00000003.3563851844.000007A803FCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3563511401.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086731265.000007A803FCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3853173169.000007A803F9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086595305.000007A804BD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3853035697.000007A803FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4086891220.000007A803FBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://challenges.cloudflare.com/turnstile/v0/g/ec4b873d446c/api.js?onload=Jeuhg1&render=explicitaD
Source: chrome.exe, 0000000F.00000003.4280689054.000007A80320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000F.00000003.3577221795.000007A803D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4281587753.000007A8030BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3577285128.000007A8030BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3698808392.000007A803D7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4112712276.000007A802538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3698673967.000007A802538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4112935279.000007A8030BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4280689054.000007A80320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000F.00000003.3554303804.000007A804ACC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudflareinsights.com/cdn-cgi/rum
Source: saBSI.exe, 00000006.00000002.2808233151.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282776680.00000000032A6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494624940.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282807159.00000000032A9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.00000000032AB000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.00000000032AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://confluence.int.mcafee.com/pages/viewpage.action?pageId=35264328
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2500152750.000000000360C000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://control.kochava.com/v1/cpi/click?campaign_id=kohotspot-shield-2oo5a3058127822662&network_id=
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cu1pehnswad01.servicebus.windows.net/wadp32h02/messages?timeout=60&api-version=2014-01
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/T
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.0000000007490000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2500152750.00000000035E1000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png4
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1813052860.0000000005408000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png7
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pngD
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.00000000024E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip:
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipr
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000880000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/images/1626/EN.png
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/f/WebAdvisor/images/1626/EN.png5
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.00000000074A2000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/o
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1722868629.0000000002600000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.000000000230D000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2500152750.000000000361C000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.0000000003507000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1730636094.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net/zbd
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dthbggft19bwp.cloudfront.net:443/zbd
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://electron-shell.reasonsecurity.com/v
Source: chrome.exe, 0000000F.00000003.4406599576.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4113159505.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it
Source: chrome.exe, 0000000F.00000003.4230156962.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2858653563.000007A8033B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3956100525.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/
Source: chrome.exe, 0000000F.00000003.3956100525.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3680109630.000007A80320C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4406741288.000007A80381C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1
Source: chrome.exe, 0000000F.00000003.4077418260.000007A804AB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3680056783.000007A802540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3845201916.000007A804AB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4313769646.000007A804AB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3680162859.000007A804AB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3554079125.000007A80320C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3845016165.000007A802540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3553951787.000007A802540000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3680109630.000007A80320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1(
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=101
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=13
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=19
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1?9kL#
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1J
Source: chrome.exe, 0000000F.00000003.4230156962.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2858653563.000007A8033B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3956100525.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1hd
Source: chrome.exe, 0000000F.00000003.4406599576.000007A803DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1jb
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504703706.0000000005C61000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2222727504.0000000005C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1n
Source: chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1nl
Source: chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1nl72
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/?typ=1r
Source: chrome.exe, 0000000F.00000003.3646468733.000007A8033AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it/favicon.ico
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.000000000256C000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.0000000000873000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000859000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it?typ=1
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2495420906.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it?typ=1$
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it?typ=1:&
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.000000000256C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://en.download.it?typ=1TA
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: faststone-capture_voLss-1.exe, 00000000.00000000.1722269206.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity.com
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/?utm_source=safer_web_uninstall_home&utm_medium=website_link&ruserid=
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/contact-us?prod=2&utm_source=vpn_uninstall&utm_medium=home_contact_support&ru
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/contact-us?prod=3&utm_source=safer_web_uninstall_home&utm_medium=contact_supp
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/platform/products/rav/privacy-policy?utm_source=rav_antivirus_installer
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com/platform/products/rav/terms?utm_source=rav_antivirus_installer
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2222727504.0000000005C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies.net/f/WebAdvisor/files/1489/saBSI.zipps://ww
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies.net/f/WebAdvisor/images/1626/EN.png5W
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies6801bd62a31414fed2cdf2545aee05d667b5107239X
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesE467B
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesW
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504703706.0000000005C61000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000054B0000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2222727504.0000000005C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesm/rsSt
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://reasonlabs.com?utm_source=vpn_uninstall&utm_medium=home_website_link&ruserid=
Source: saBSI.exe	String found in binary or memory: https://sadownload.mcafee.com/products/SA/
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml/
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/
Source: saBSI.exe, 00000006.00000003.2192864038.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml
Source: saBSI.exe, 00000006.00000003.2192127377.0000000005934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml/
Source: saBSI.exe, 00000006.00000003.2231209818.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xmlZ_
Source: saBSI.exe, 00000006.00000003.2231209818.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml_
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml/
Source: saBSI.exe, 00000006.00000003.2231209818.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xmlc)
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2255280549.0000000005934000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.0000000005932000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796573372.0000000005937000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231167895.0000000005933000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231116150.000000000593C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2795680740.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2255280549.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.000000000594B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml/
Source: saBSI.exe, saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2811159110.0000000005BDF000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2169184053.0000000003247000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_main.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml/
Source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/UPDATER_VERSIONaffidosplatSELF_UPDATE_ALLOWEDMAIN_XMLSTORE
Source: saBSI.exe, saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.json
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonPROCESSX
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonRS=2On
Source: saBSI.exe, 00000006.00000003.2255280549.0000000005934000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.0000000005932000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796573372.0000000005937000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231167895.0000000005933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi
Source: saBSI.exe, 00000006.00000003.2795680740.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2255280549.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.000000000594B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180515985.000000000328A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2180432980.0000000003288000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml
Source: saBSI.exe, 00000006.00000003.2786165084.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231209818.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2192864038.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.0000000003281000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml/
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xmlnload.mcafee.com
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/binaryR
Source: saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/965/
Source: saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/965/64/installer.exeexe
Source: saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xml
Source: saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xmlI)
Source: saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xmlR&
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.0000000003283000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003266000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml
Source: saBSI.exe, 00000006.00000002.2808233151.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml3&
Source: saBSI.exe, 00000006.00000003.2796277508.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797204822.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml~)
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa$
Source: saBSI.exe, 00000006.00000003.2255280549.0000000005934000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.0000000005932000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2231167895.0000000005933000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810393352.0000000005930000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2797148356.0000000005930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary
Source: saBSI.exe, 00000006.00000003.2795680740.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2255280549.000000000594B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2494866031.000000000594B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary/
Source: saBSI.exe, 00000006.00000002.2810546434.000000000597B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296177752.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282907807.0000000005967000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282907807.000000000597B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2282672642.000000000329F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2295089706.000000000597B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2296427734.0000000005968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/pc/partner_custom_vars.xml
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saLOCALA
Source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saUPDATER_URLupdater.exeWebAdvisor_Updaterheron_hostthreat.ap
Source: saBSI.exe, 00000006.00000003.2786165084.000000000329F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com:443/products/SA/v1/update/post_install.xml
Source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/7ReasonLabs-Setup-Wizard.exe
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.0000000000873000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.0000000007598000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeA
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeK
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeZ
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exes/1489/saBSI.zipu
Source: chrome.exe, 0000000F.00000003.3554303804.000007A804ACC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015
Source: chrome.exe, 0000000F.00000003.3554303804.000007A804ACC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015aD
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://track.analytics-data.io
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/live
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/update
Source: chrome.exe, 0000000F.00000003.2830617850.000007A802543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.googleapis.com/service/update2/json?cup2key=13:VwnLo86zDIR1DjEkOQ_NGmKytUSjF318ImY__c
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonse.com/vo
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live-dt:10m
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livePCCotO
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livecle
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/liveonProgramF
Source: rsSyncSvc.exe, 0000000A.00000002.2182327581.000002201DB70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livev1.0
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/update
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/0
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/M
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.ck
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.coP
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000088A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.000000000088A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000859000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779315759.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-products
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000088A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.000000000088A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000859000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779315759.000000000088A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.come
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/eula
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1792723318.0000000000873000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacy
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacyM
Source: faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 0000000F.00000003.4174743683.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2767978599.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4349826987.000007A802D74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.3766309876.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4236159008.000007A802D70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.4411081509.000007A802D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.forbes.com/sites/forbestechcouncil/2022/07/13/why-do-hacks-happen-four-ubiquitous-motiva
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000002.2501325839.0000000004D5A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2139818805.0000000005C21000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503009333.0000000005B51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503500035.0000000005B8C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503183688.0000000005B93000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501412990.0000000005B8A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505646817.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503828013.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2501561015.0000000003280000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505426822.0000000005B94000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503646735.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505354252.0000000005BA9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2493306628.0000000005A3A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2503251502.0000000003282000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2502947221.0000000005B92000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2810945355.0000000005B86000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2505588300.0000000005B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 0000000F.00000003.4280689054.000007A80320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002740000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000000.1728994053.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/e
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.0000000002450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2498006905.00000000024EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/poli
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.000000000755E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/lega
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2504866593.0000000007591000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html$D
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html/1626/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000083A000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.000000000083A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlG8
Source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html
Source: saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlq
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2501786930.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1813052860.00000000053F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/privacy/
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computers
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacy
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.000000000085C000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.000000000084F000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacy6
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/safer-web/privacy-policy?utm_source=reason_safer_web_installer
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/safer-web/terms?utm_source=reason_safer_web_installer
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/vpn/privacy-policy?utm_source=reason_vpn_installer
Source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.reasonsecurity.com/vpn/terms?utm_source=reason_vpn_installer
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002740000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000000.1728994053.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2499478644.00000000035C9000.00000004.00001000.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/eula.html
Source: faststone-capture_voLss-1.tmp, 00000001.00000002.2496268504.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/eula.html;
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/privacy.html
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779625982.0000000000810000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000801000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778559928.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/privacy.htmlk

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Downloads\faststone-capture.exe

14_2_004056E3

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EF7234CDBB1649702229F955C785C39F	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A76F24BEACC5A31C76BB70908923C3E0	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rselam.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\elam\rselam.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rselam.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_94D503D192B52F2BF45A18D0E3D98193	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rselam.cat	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe

Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\Downloads\faststone-capture.exe entropy: 7.99887313945	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\WebAdvisor.png (copy) entropy: 7.99120652795	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\faststone-capture.exe (copy) entropy: 7.99887313945	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1 (copy) entropy: 7.99597518735	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip (copy) entropy: 7.99597518735	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe entropy: 7.99155381417	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources.pak entropy: 7.99695642031	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\electron.7z entropy: 7.99999530372	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z entropy: 7.99998027025	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\analyticsmanager.cab entropy: 7.99969718002	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\browserhost.cab entropy: 7.99956002522	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\browserplugin.cab entropy: 7.9992113156	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\eventmanager.cab entropy: 7.99964983393	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\logicmodule.cab entropy: 7.99972848758	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\mfw-webadvisor.cab entropy: 7.99454578965	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\mfw.cab entropy: 7.99684236756	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\servicehost.cab entropy: 7.99875012535	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\settingmanager.cab entropy: 7.9996134867	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\taskmanager.cab entropy: 7.99987398306	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\uihost.cab entropy: 7.99861464263	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\uimanager.cab entropy: 7.99954608112	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\uninstaller.cab entropy: 7.99961673943	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\updater.cab entropy: 7.99948483637	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\wssdep.cab entropy: 7.99935686224	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	File created: C:\Program Files\McAfee\WebAdvisor\e10ssaffplg.xpi entropy: 7.99707344308	Jump to dropped file

System Summary

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File dump: rsAppUI.exe.9.dr 177011072

Jump to dropped file

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

6_2_00B66220

Contains functionality to delete services

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47C5910

Contains functionality to launch a process as a different user

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47EEBA0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Downloads\faststone-capture.exe

14_2_004035D8

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe

File created: C:\Windows\system32\drivers\rsCamFilter020502.sys

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Windows\system32\drivers\rsCamFilter020502.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Windows\system32\drivers\rsKernelEngine.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Windows\system32\drivers\rsElam.sys

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B68FB0	6_2_00B68FB0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B64F50	6_2_00B64F50
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B670D9	6_2_00B670D9
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B6F110	6_2_00B6F110
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B873B0	6_2_00B873B0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9D540	6_2_00B9D540
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA1840	6_2_00BA1840
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B83AC0	6_2_00B83AC0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9FFE0	6_2_00B9FFE0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B98190	6_2_00B98190
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA83A0	6_2_00BA83A0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9A540	6_2_00B9A540
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B4A610	6_2_00B4A610
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE8609	6_2_00BE8609
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BB0660	6_2_00BB0660
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA47C0	6_2_00BA47C0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA28A0	6_2_00BA28A0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BF68E0	6_2_00BF68E0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BF0992	6_2_00BF0992
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD0919	6_2_00BD0919
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BF0AB2	6_2_00BF0AB2
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B42B00	6_2_00B42B00
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD0B4B	6_2_00BD0B4B
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD0DB0	6_2_00BD0DB0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BCADD0	6_2_00BCADD0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA6D43	6_2_00BA6D43
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B78EA0	6_2_00B78EA0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B4CF40	6_2_00B4CF40
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B9F150	6_2_00B9F150
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B8D2C0	6_2_00B8D2C0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD933A	6_2_00BD933A
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BDB340	6_2_00BDB340
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE14AF	6_2_00BE14AF
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BAB4F0	6_2_00BAB4F0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B45400	6_2_00B45400
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA7602	6_2_00BA7602
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BED8E0	6_2_00BED8E0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B4F830	6_2_00B4F830
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BD390B	6_2_00BD390B
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BA3A30	6_2_00BA3A30
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B7FB40	6_2_00B7FB40
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B6BCB0	6_2_00B6BCB0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B73C50	6_2_00B73C50
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00B47D10	6_2_00B47D10
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47C7F40	10_2_00007FF6B47C7F40
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47C5910	10_2_00007FF6B47C5910
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B481ECF0	10_2_00007FF6B481ECF0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4841614	10_2_00007FF6B4841614
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47D8D50	10_2_00007FF6B47D8D50
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482BD60	10_2_00007FF6B482BD60
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47CB730	10_2_00007FF6B47CB730
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482A660	10_2_00007FF6B482A660
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4846E94	10_2_00007FF6B4846E94
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47D7EB0	10_2_00007FF6B47D7EB0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482D02C	10_2_00007FF6B482D02C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B484FF94	10_2_00007FF6B484FF94
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4836A40	10_2_00007FF6B4836A40
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47CF8E0	10_2_00007FF6B47CF8E0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482C0E4	10_2_00007FF6B482C0E4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B483E8E4	10_2_00007FF6B483E8E4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4847110	10_2_00007FF6B4847110
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4842128	10_2_00007FF6B4842128
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4843130	10_2_00007FF6B4843130
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B483A840	10_2_00007FF6B483A840
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47ED060	10_2_00007FF6B47ED060
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482A864	10_2_00007FF6B482A864
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B483B87C	10_2_00007FF6B483B87C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482B9C8	10_2_00007FF6B482B9C8
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47CA1D0	10_2_00007FF6B47CA1D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B48371F4	10_2_00007FF6B48371F4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47F3220	10_2_00007FF6B47F3220
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47D3950	10_2_00007FF6B47D3950
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4834970	10_2_00007FF6B4834970
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B483DA4C	10_2_00007FF6B483DA4C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B484FA48	10_2_00007FF6B484FA48
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482A250	10_2_00007FF6B482A250
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482AA70	10_2_00007FF6B482AA70
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4841AA8	10_2_00007FF6B4841AA8
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B484DAAC	10_2_00007FF6B484DAAC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B4836BD4	10_2_00007FF6B4836BD4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482CBF4	10_2_00007FF6B482CBF4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482D430	10_2_00007FF6B482D430
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47F7390	10_2_00007FF6B47F7390
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47EEBA0	10_2_00007FF6B47EEBA0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B47C9440	10_2_00007FF6B47C9440
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482A454	10_2_00007FF6B482A454
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482AC74	10_2_00007FF6B482AC74
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE1330	13_2_00007FF7F9EE1330
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EEA634	13_2_00007FF7F9EEA634
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EF3098	13_2_00007FF7F9EF3098
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EEBB3C	13_2_00007FF7F9EEBB3C
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00406C5B	14_2_00406C5B
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_0040CDD5	16_2_0040CDD5
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00418810	16_2_00418810
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_004030CF	16_2_004030CF
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00411129	16_2_00411129
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00414B30	16_2_00414B30
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00417420	16_2_00417420
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_004144D0	16_2_004144D0
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00419D01	16_2_00419D01
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00419DDB	16_2_00419DDB
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00416E09	16_2_00416E09
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Code function: 22_2_00007FFD9BAA11C0	22_2_00007FFD9BAA11C0
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Code function: 22_2_00007FFD9BAA128D	22_2_00007FFD9BAA128D

Enables security privileges

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF6B47C2350 appears 65 times
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF6B47DE860 appears 63 times
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: String function: 004031E3 appears 37 times
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: String function: 004197D0 appears 119 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC85BF appears 56 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC8E31 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00B51BE0 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC9600 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00B88650 appears 192 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC8713 appears 374 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BC8DFE appears 111 times
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: String function: 00BE4231 appears 31 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7508 -ip 7508

PE file contains executable resources (Code or Archives)

Source: faststone-capture_voLss-1.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: installer.exe.6.dr	Static PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 24653488 bytes, 137 files, at 0x2c +A "analyticsmanager.cab" +A "analyticstelemetry.cab", number 1, 895 datablocks, 0x1 compression

Sample file is different than original file name gathered from version info

Source: faststone-capture_voLss-1.exe, 00000000.00000000.1722385220.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs faststone-capture_voLss-1.exe
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1727517517.000000007FE25000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs faststone-capture_voLss-1.exe
Source: faststone-capture_voLss-1.exe, 00000000.00000003.1725410049.0000000002A38000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs faststone-capture_voLss-1.exe
Source: faststone-capture_voLss-1.exe, 00000000.00000003.2507412208.0000000002368000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs faststone-capture_voLss-1.exe

Searches the installation path of Mozilla Firefox

Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\118.0.1 (x64 en-US)\Main Install Directory

Uses 32bit PE files

Source: faststone-capture_voLss-1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

query blbeacon for getting browser version

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version	Jump to behavior
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon version

Source: classification engine

Classification label: mal54.rans.phis.troj.spyw.evad.winEXE@112/2330@0/49

Source: C:\Users\user\Downloads\faststone-capture.exe

14_2_004035D8

Source: C:\Users\user\Downloads\faststone-capture.exe

Code function: 14_2_00404983 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

14_2_00404983

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47C7F40

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B54C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_00B54C8E

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B55C1E CoCreateInstance,OleRun,

6_2_00B55C1E

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

6_2_00B75318

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47C7F40

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47C5910

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File created: C:\Program Files\ReasonLabs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5468:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\_rsStubExecute
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b8902f1a-2cf8-4fb6-b445-6b15e94cdf19}Installer
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe	Mutant created: \Sessions\1\BaseNamedObjects\FSCapture
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7508
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2740:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{b8902f1a-2cf8-4fb6-b445-6b15e94cdf19}Installer
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7112:120:WilError_03

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe

File created: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp

Jump to behavior

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\FastStone Capture\FSCapture.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7180
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%ReasonEDR%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%VPN%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7180
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'rsAppUI.exe' AND CommandLine Like '%VPN%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%DNS%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%ReasonEDR%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%VPN%'
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7180
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'rsAppUI.exe' AND CommandLine Like '%DNS%'
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%EPP%'
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name='rsAppUI.exe' OR Name='ReasonLabs.exe') AND CommandLine Like '%VPN%'
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 7924
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'rsAppUI.exe' AND CommandLine Like '%EPP%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fheoggkfdfchfphceeifdbepaooicaho%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%klekeajafkkpokaofllcadenjdckhinm%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%klekeajafkkpokaofllcadenjdckhinm%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fheoggkfdfchfphceeifdbepaooicaho%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fdhgeoginicibhagdmblfikbgbkahibd%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select ParentProcessId from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

Source: faststone-capture_voLss-1.exe	ReversingLabs: Detection: 45%
Source: faststone-capture_voLss-1.exe	Virustotal: Detection: 36%

Source: installer.exe	String found in binary or memory: wa-install.html
Source: installer.exe	String found in binary or memory: wa-ui-install.js
Source: installer.exe	String found in binary or memory: wa-install.css
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-it-IT.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ja-JP.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-hu-HU.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fr-FR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-hr-HR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fr-CA.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-fi-FI.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-es-ES.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-es-MX.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-en-US.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-el-GR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-da-DK.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-de-DE.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-cs-CZ.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-zh-TW.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-tr-TR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-zh-CN.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sv-SE.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sr-Latn-CS.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ru-RU.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-sk-SK.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pt-PT.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pt-BR.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-nl-NL.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-pl-PL.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-nb-NO.js
Source: installer.exe	String found in binary or memory: jslang\wa-res-install-ko-KR.js

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe

File read: C:\Users\user\Desktop\faststone-capture_voLss-1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\faststone-capture_voLss-1.exe "C:\Users\user\Desktop\faststone-capture_voLss-1.exe"
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp "C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp" /SL5="$10480,1583351,832512,C:\Users\user\Desktop\faststone-capture_voLss-1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\gngnwua3.exe "C:\Users\user\AppData\Local\Temp\gngnwua3.exe" /silent
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /silent
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
Source: unknown	Process created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe "C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\Downloads\faststone-capture.exe "C:\Users\user\Downloads\faststone-capture.exe"
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://en.download.it/?typ=1
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe "C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1872,i,3259608967956650124,12905320349364602132,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7508 -ip 7508
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7508 -ip 7508
Source: unknown	Process created: C:\Program Files (x86)\FastStone Capture\FSCapture.exe "C:\Program Files (x86)\FastStone Capture\FSCapture.exe"
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	Process created: C:\Program Files\McAfee\Temp2225664224\installer.exe "C:\Program Files\McAfee\Temp2225664224\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
Source: unknown	Process created: C:\Program Files\McAfee\WebAdvisor\servicehost.exe "C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\uihost.exe "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\updater.exe "C:\Program Files\McAfee\WebAdvisor\updater.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\wevtutil.exe
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp "C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp" /SL5="$10480,1583351,832512,C:\Users\user\Desktop\faststone-capture_voLss-1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100" -i -v -d -se=true	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\Downloads\faststone-capture.exe "C:\Users\user\Downloads\faststone-capture.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://en.download.it/?typ=1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\gngnwua3.exe "C:\Users\user\AppData\Local\Temp\gngnwua3.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10	Jump to behavior
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe "C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1872,i,3259608967956650124,12905320349364602132,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7508 -ip 7508
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7508 -ip 7508
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\wevtutil.exe
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	Process created: C:\Program Files\McAfee\Temp2225664224\installer.exe "C:\Program Files\McAfee\Temp2225664224\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\uihost.exe "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Program Files\McAfee\WebAdvisor\updater.exe "C:\Program Files\McAfee\WebAdvisor\updater.exe"
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: apphelp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: urlmon.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: powrprof.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: iertutil.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: srvcli.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: msasn1.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: umpdc.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: urlmon.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: powrprof.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: iertutil.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: srvcli.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: msasn1.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: umpdc.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: wldp.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: apphelp.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: riched20.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: usp10.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: msls31.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: sxs.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Downloads\faststone-capture.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Section loaded: apphelp.dll

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File written: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Automated click: Run
Source: C:\Users\user\Downloads\faststone-capture.exe	Automated click: Next >
Source: C:\Users\user\Downloads\faststone-capture.exe	Automated click: I Agree
Source: C:\Users\user\Downloads\faststone-capture.exe	Automated click: Install

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Window detected: HYPERLINK "https://cassinilabs.com/privacy-policy/" End User License AgreementHYPERLINK "https://cassinilabs.com/privacy-policy/" Privacy PolicyThis will download FastStone Capture to your computer click "Next" to continue.A versatile tool for capturing and editing screenshots...Welcome to FastStone Capture Download Manager&NextCancel
Source: C:\Users\user\Downloads\faststone-capture.exe	Window detected: < &BackI &AgreeCancelwww.FastStone.org www.FastStone.orgLicense AgreementPlease review the license terms before installing FastStone Capture 9.7.Press Page Down to see the rest of the agreement.Please read the following terms and conditions carefully before using FastStone Capture. Use of FastStone Capture indicates you accept the terms of this license agreement and warranty.1. Disclaimer of WarrantyFastStone Capture (this software) is provided "as-is" and without warranty of any kind express implied or otherwise including without limitation any warranty of merchantability or fitness for a particular purpose. In no event shall the author of this software be held liable for data loss damages loss of profits or any other kind of loss while using or misusing this software.2. LicenseFastStone Capture is shareware. You may try it free for 30 days. Once this 30-day period has expired you must either purchase a license to use this software or uninstall it from your computer promptly.3. Restrictions on Use FastStone Capture must not be decompiled disassembled reverse engineered or otherwise modified. Copyright (C) 2021 FastStone Corporation. All rights reserved.If you accept the terms of the agreement click I Agree to continue. You must accept the agreement to install FastStone Capture 9.7.

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_100_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_200_percent.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\icudtl.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\LICENSE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\LICENSES.chromium.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\af.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\am.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ar.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\bg.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\bn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ca.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\cs.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\da.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\de.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\el.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\en-GB.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\en-US.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es-419.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\et.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fa.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fil.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\fr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\gu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\he.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hu.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\id.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\it.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ja.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\kn.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ko.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lt.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ml.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\mr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ms.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nb.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pt-BR.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\pt-PT.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ro.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ru.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sl.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sv.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sw.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ta.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\te.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\th.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\tr.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\uk.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ur.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\vi.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-CN.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-TW.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources.pak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\snapshot_blob.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\v8_context_snapshot.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\version	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader_icd.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\ffmpeg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libEGL.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libGLESv2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Signatures.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\WhiteList.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rselam.cat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\7zarm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\ext_arm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\lz4_arm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\rsYara-ARM64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\arm64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\VPN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\VPN\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\manifest.json
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsExtensionHost.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe.config
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\SecurityProductInformation.ini
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Signatures.dat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.sig
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\manifest.json
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\WhiteList.dat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\evntdrv.xml
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rselam.cat
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rsElam.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\7zarm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\ext_arm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\lz4_arm64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsCamFilter020502.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsJournal-ARM64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.sys
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsYara-ARM64.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\SQLite.Interop.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\BouncyCastle.Crypto.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Dia2Lib.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\KernelTraceControl.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msdia140.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msvcp140.dll

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP

Jump to behavior

Source: faststone-capture_voLss-1.exe

Static PE information: certificate valid

Source: faststone-capture_voLss-1.exe

Static file information: File size 2522504 > 1048576

Source: faststone-capture_voLss-1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: rsAtom.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\linoy\Documents\GitHub\zbShield-Utils-CPP\zbShieldUtils\bin\Release\Helper.pdb source: faststone-capture_voLss-1.tmp, 00000001.00000003.2197108227.0000000007670000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\System.Data.SQLite\System.Data.SQLite\obj\2022\System.Data.SQLite\Release\System.Data.SQLite.pdb\ source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsTime\rsTime\rsTime\obj\Release\net462\rsTime.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 0000000A.00000000.2180936055.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000A.00000002.2182546062.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000C.00000000.2181750319.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\ArchiveUtility\ArchiveUtility\Reason.ArchiveUtility\bin\ARM64\Release\Reason.ArchiveUtility-ARM64.pdb source: gngnwua3.exe, 00000007.00000003.2156690263.0000000002360000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2156743744.0000000000640000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsTime\rsTime\rsTime\obj\Release\net462\rsTime.pdbT,n, `,_CorDllMainmscoree.dll source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsDatabase.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\ArchiveUtility\ArchiveUtility\Reason.ArchiveUtility\bin\x64\Release\Reason.ArchiveUtility-x64.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163882823.0000000002BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb$1>1 01_CorExeMainmscoree.dll source: prod0.exe, 00000005.00000000.2113596179.00000259636B2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000006.00000000.2141298974.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp, saBSI.exe, 00000006.00000002.2807174060.0000000000C0E000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\UnifiedStub\obj\Release\UnifiedStub.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000009.00000000.2169333527.000001E0C9BC2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: rsLogger.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubRunner\rsStubRunner\bin\Release\x64\rsStubRunner.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.00000000032EF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2166622369.00000000032AF000.00000004.00001000.00020000.00000000.sdmp, gngnwua3.exe, 00000007.00000003.2163291402.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, Uninstall.exe, 0000000D.00000000.2189538132.00007FF7F9EF5000.00000002.00000001.01000000.00000013.sdmp, Uninstall.exe, 0000000D.00000002.2211732158.00007FF7F9EF5000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 0000000A.00000000.2180936055.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000A.00000002.2182546062.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp, rsSyncSvc.exe, 0000000C.00000000.2181750319.00007FF6B4858000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: rsLogger.pdbx source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\System.Data.SQLite\System.Data.SQLite\obj\2022\System.Data.SQLite\Release\System.Data.SQLite.pdb source: gngnwua3.exe, 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Binary contains a suspicious time stamp

Source: is-50JKG.tmp.1.dr

Static PE information: 0xD49AEFA9 [Mon Jan 11 20:08:09 2083 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B92B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,

6_2_00B92B30

PE file contains an invalid checksum

Source: UnifiedStub.resources.dll12.7.dr	Static PE information: real checksum: 0x0 should be: 0x10d96
Source: gngnwua3.exe.5.dr	Static PE information: real checksum: 0x27097a should be: 0x26ca18
Source: UnifiedStub.resources.dll7.7.dr	Static PE information: real checksum: 0x0 should be: 0xd4e3
Source: is-50JKG.tmp.1.dr	Static PE information: real checksum: 0x14f88 should be: 0x12390
Source: UnifiedStub.resources.dll1.7.dr	Static PE information: real checksum: 0x0 should be: 0x8ede
Source: UnifiedStub.resources.dll4.7.dr	Static PE information: real checksum: 0x0 should be: 0xadc3
Source: UnifiedStub.resources.dll10.7.dr	Static PE information: real checksum: 0x0 should be: 0x4b7d
Source: Helper.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x205ce6
Source: UnifiedStub.resources.dll2.7.dr	Static PE information: real checksum: 0x0 should be: 0x7e30
Source: UnifiedStub.resources.dll5.7.dr	Static PE information: real checksum: 0x0 should be: 0x546f
Source: UnifiedStub.resources.dll8.7.dr	Static PE information: real checksum: 0x0 should be: 0x7c21
Source: UnifiedStub.resources.dll0.7.dr	Static PE information: real checksum: 0x0 should be: 0x5d2e
Source: UnifiedStub.resources.dll3.7.dr	Static PE information: real checksum: 0x0 should be: 0x4a58
Source: UnifiedStub.resources.dll6.7.dr	Static PE information: real checksum: 0x0 should be: 0x8e08
Source: UnifiedStub.resources.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x10c6c
Source: UnifiedStub.resources.dll9.7.dr	Static PE information: real checksum: 0x0 should be: 0xdf6c
Source: UnifiedStub.resources.dll11.7.dr	Static PE information: real checksum: 0x0 should be: 0x96ff

PE file contains sections with non-standard names

Source: faststone-capture_voLss-1.exe	Static PE information: section name: .didata
Source: faststone-capture_voLss-1.tmp.0.dr	Static PE information: section name: .didata
Source: saBSI.exe.1.dr	Static PE information: section name: .didat
Source: gngnwua3.exe.5.dr	Static PE information: section name: .sxdata
Source: installer.exe.6.dr	Static PE information: section name: _RDATA

Registers a DLL

Source: C:\Program Files\McAfee\Temp2225664224\installer.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Code function: 1_2_00190898 pushfd ; retf	1_2_0019089B
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Code function: 1_2_0018FA69 push FFFFFFC2h; iretd	1_2_0018FA6B
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Code function: 1_2_00190D6D push es; iretd	1_2_00190D6F
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Code function: 1_2_00191263 push 00000057h; retf	1_2_0019126B
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BC8DDB push ecx; ret	6_2_00BC8DEE
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BF7CFD push ecx; ret	6_2_00BF7D12
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00419800 push eax; ret	16_2_0041982E
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_004197D0 push eax; ret	16_2_004197EE
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Code function: 22_2_00007FFD9BAA5536 push cs; retf	22_2_00007FFD9BAA5539

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\uninstall-epp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\ShellExecAsUser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\VPN\Uninstall.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ARM64\Reason.ArchiveUtility-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\YASXK9IJ\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsStubLib.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	File created: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\zh-CN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\LULGB13J\rsAtom.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\3YWFLCQ0\rsLogger.DLL	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsYara-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSRecorder.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\ext_arm64.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSFocus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCapture.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ARM64\Reason.ArchiveUtility-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\lz4_arm64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsSyncSvc.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\uninst.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\zh-CN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-epp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\Stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\Downloads\faststone-capture.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCIcon.db	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\7zarm64.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\is-50JKG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\is-HPQLI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\faststone-capture.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCPlugin01.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Console.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\mc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\arm64\msdia140.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	File created: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\uninstall-epp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\1CPSKOY1\rsJSON.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0 (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\sk-SK\UnifiedStub.resources.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe

File created: C:\Windows\System32\drivers\rsElam.sys (copy)

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\FSCIcon.db	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\@reasonsoftware+windows-notification-state.node	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnifiedStub-installer.exe.log

Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\Program Files (x86)\FastStone Capture\LicenseAgreement.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-cs-CZ.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-da-DK.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-de-DE.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-el-GR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-en-US.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-es-ES.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-es-MX.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fi-FI.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fr-CA.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-fr-FR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-hr-HR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-hu-HU.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-it-IT.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ja-JP.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ko-KR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-nb-NO.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-nl-NL.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pl-PL.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pt-BR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-pt-PT.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-ru-RU.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sk-SK.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sr-Latn-CS.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-sv-SE.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-tr-TR.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-zh-CN.txt
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\installer.exe	File created: C:\Program Files\McAfee\Temp2225664224\jslang\eula-zh-TW.txt

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\rundll32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Microsoft.Win32.TaskScheduler.dll
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Microsoft.Win32.TaskScheduler.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Win32.TaskScheduler.dll
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rsCamFilter020502

Stores files to the Windows start menu directory

Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\FastStone Capture.lnk
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\FastStone Capture Help.lnk
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\Visit www.FastStone.org.lnk
Source: C:\Users\user\Downloads\faststone-capture.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Capture\Uninstall FastStone Capture.lnk

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

10_2_00007FF6B47C7F40

Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File opened: C:\Program Files\ReasonLabs\EPP\Uninstall.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	File opened: C:\Program Files\ReasonLabs\VPN\Uninstall.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File opened: C:\Program Files\ReasonLabs\EPP\Uninstall.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File opened: C:\Program Files\ReasonLabs\EPP\133736644726034605\Uninstall.exe:Zone.Identifier read attributes \| delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

6_2_00B80540

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\McAfee
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\faststone-capture_voLss-1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Downloads\faststone-capture.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\faststone-capture.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Memory allocated: 259639F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Memory allocated: 2597D490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Memory allocated: 1E0C9FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Memory allocated: 1E0E3CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Memory allocated: 1D88AAA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Memory allocated: 1D8A4380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Memory allocated: 171A85D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Memory allocated: 171C0700000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085670000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1D8854A0000 memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1D8854C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085D00000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085D40000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E095ED0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E095F50000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E096090000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E0969E0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085DA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E085DE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E096070000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E0960D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Memory allocated: 1E0960F0000 memory commit \| memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B54C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_00B54C8E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Window / User API: threadDelayed 7276	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Window / User API: threadDelayed 2544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Window / User API: threadDelayed 6183	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Window / User API: threadDelayed 3601	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Window / User API: threadDelayed 2432
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Window / User API: threadDelayed 7365

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\elam\rsElam.sys	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\taskmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XPath.XDocument.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsTime.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\ShellExecAsUser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\VPN\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClientSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.SecureString.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Tasks.Parallel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Collections.NonGeneric.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Extension.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Camera.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Text.RegularExpressions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\ext_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Resources.Reader.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\PLWH8YLO\rsTime.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.ThreadPool.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Globalization.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\ARM64\Reason.ArchiveUtility-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\BXIH37RF\rsLogger.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.BTScan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Bcl.HashCode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsKernelEngine.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\UJOTG38L\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Sockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\YASXK9IJ\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\7zarm64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Edr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Principal.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsLitmus.S.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.XmlSerializer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\ui\EPP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\U6HCGN11\Newtonsoft.Json.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsAssistant.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.NameResolution.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Linq.Queryable.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Contracts.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.Browsers.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\OSExtensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.CompilerServices.VisualC.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Needle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Console.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Tools.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.TypeConverter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.Compression.ZipFile.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Collections.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Encoding.dll (copy)	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.Requests.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsPerformance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Dynamic.Runtime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Tasks.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnDemand.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Reflection.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Globalization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\OSExtensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.Ping.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\rsCamFilter020502.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\LULGB13J\rsAtom.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\3YWFLCQ0\rsLogger.DLL	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\rsYara-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsAtom.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Helper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.Ping.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\amd64\vcruntime140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\uimanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Ransomware.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Self.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsPerformance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSRecorder.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\ext_arm64.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\FSFocus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.ComponentModel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.UDI.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Globalization.Calendars.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Quarantine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.IO.FileSystem.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsFrame.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Serialization.Formatters.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Detections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Timer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\ARM64\Reason.ArchiveUtility-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Xml.ReaderWriter.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsAtom.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Reflection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.IO.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\gngnwua3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\logicmodule.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\amd64\vcruntime140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\lz4_arm64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Tracing.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\arm64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Win32.Registry.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\x64\rsYara-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\netstandard.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.CompilerServices.Unsafe.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Microphone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.Overlapped.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Csp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.FileVersionInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.IO.Compression.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Linq.Parallel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Data.Common.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\win32\wssdep.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\Microsoft.Diagnostics.Tracing.TraceEvent.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Globalization.Calendars.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\lz4_arm64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Updater.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsCamilla.Runtime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\rsJSON.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\NAudio.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Cryptography.Algorithms.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FastStone Capture\uninst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Threading.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\x64\Reason.ArchiveUtility-x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.IO.FileSystem.DriveInfo.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Reflection.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Security.Claims.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Performance.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsFrame.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\9990JN8Z\rsAtom.DLL	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\ext_arm64.dll	Jump to dropped file
Source: C:\Users\user\Downloads\faststone-capture.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvFE3F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.Extensions.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\TraceReloggerLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.AppContext.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Threading.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.Timer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsWSC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\amd64\msvcp140.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\uninstaller.exe	Jump to dropped file
Source: C:\Program Files\McAfee\Temp2225664224\installer.exe	Dropped PE file which has not been started: C:\Program Files\McAfee\WebAdvisor\settingmanager.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebHeaderCollection.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Runtime.InteropServices.RuntimeInformation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.NetworkInformation.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\netstandard.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\TraceReloggerLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\arm64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Diagnostics.Process.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsLitmus.A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EDR\System.Net.WebSockets.Client.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\133736644726034605\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Dropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.6.0\libGLESv2.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	API coverage: 7.1 %
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp TID: 7604	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp TID: 7576	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe TID: 8020	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe TID: 8020	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe TID: 8024	Thread sleep count: 7276 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe TID: 8024	Thread sleep count: 2544 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 7292	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 7288	Thread sleep count: 6183 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 7288	Thread sleep count: 3601 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 1460	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe TID: 1460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4820	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe TID: 7776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe TID: 5500	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe TID: 5500	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe TID: 5624	Thread sleep count: 2432 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe TID: 3344	Thread sleep count: 7365 > 30
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe TID: 7696	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp FullSizeInformation	Jump to behavior
Source: C:\Users\user\Downloads\faststone-capture.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation

Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EEBB3C FindFirstFileExW,	13_2_00007FF7F9EEBB3C
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	14_2_00405C4E
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_0040689A FindFirstFileW,FindClose,	14_2_0040689A
Source: C:\Users\user\Downloads\faststone-capture.exe	Code function: 14_2_00402902 FindFirstFileW,	14_2_00402902
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe	Code function: 16_2_00404EC1 FindFirstFileW,	16_2_00404EC1

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BB2782 VirtualQuery,GetSystemInfo,

6_2_00BB2782

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778276869.0000000000872000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Microsoft\\Windows\\CurrentVersion\\Uninstall\\^Opera"],"cp":"https://www.opera.com/he/privacy","ctu":"https://www.opera.com/he/eula/computers","ov":100,"cbfo":true,"pv":"1.34","v":3,"x":3}},{"ad":{"n":"","f":"ZB_WinZip","o":"Winzip19"},"ps":{"dn":"WinZip","i":"WinZip/images/905/EN.png","u":"WinZip/files/1292/winzip28-dci5.zip","p":"/qn","c":"reg","r":["Nico Mak Computing\\WinZip"],"cp":"https://www.winzip.com/win/en/privacy.html","ctu":"https://www.winzip.com/win/en/eula.html","win64":true,"ov":100,"cbfo":true,"pv":"1.23","v":6}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast","o":"AVAST"},"ps":{"i":"AVAST/images/DOTPS-1511/547X280/EN.png","dn":"Avast Antivirus","u":"AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip","p":"/silent /ws /psh:{pxl}","rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"r":["AVAST Software\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVG Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1","WebBar","WebDiscoverBrowser","AVG\\Antivirus\\Version","AVG\\AV\\Dir"],"a":["AvastSvc","instup","AvastUI","AVGUI","avguix","AVGSvc","avgsvca"],"ctu":"https://www.avast.com/eula-avast-consumer-products","cp":"https://www.avast.com/privacy-policy","ov":61,"cbfo":true,"avauc":true,"avur":"AvUninstallTimestamp","pv":"1.29","x":12,"disk":2560,"ram":256,"iapp":["chrome.exe"],"v":1}},{"ad":{"n":"","f":"ZB_TotalSecurity_V4","o":"TotalSecurity_AV"},"ps":{"i":"TotalSecurity_AV/images/1127/V4/EN.png","dn":"360 Total Security","u":"TotalSecurity_AV/files/1127/ts360Setup.zip","p":"/s","r":["Microsoft\\Windows\\CurrentVersion\\Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv":"1.26","cbfo":true,"v":1}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast_NCH","o":"Avast_NCH"},"ps":{"i":"AVAST/images/DOTPS-1511/547X280/
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.00000000007E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH=
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.G;
Source: faststone-capture_voLss-1.tmp, 00000001.00000003.1779362497.0000000000832000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.2201480649.0000000000832000.00000004.00000020.00020000.00000000.sdmp, faststone-capture_voLss-1.tmp, 00000001.00000003.1778409823.0000000000827000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.00000000031CE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2158917863.0000000003230000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: saBSI.exe, 00000006.00000002.2808233151.0000000003230000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000006.00000003.2158917863.0000000003230000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg

Source: C:\Users\user\Downloads\faststone-capture.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Windows\System32\runonce.exe	System information queried: CodeIntegrityInformation
Source: C:\Windows\System32\grpconv.exe	System information queried: CodeIntegrityInformation

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Windows\System32\runonce.exe

System information queried: KernelDebuggerInformation

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BE70B4 IsDebuggerPresent,OutputDebugStringW,

6_2_00BE70B4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B65204 RegOpenKeyExW,RegQueryValueExW,SetLastError,RegCloseKey,RegCloseKey,GetLastError,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,LoadLibraryExW,GetLastError,

6_2_00B65204

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B54C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_00B54C8E

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BF7BC0 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

6_2_00BF7BC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B92B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,

6_2_00B92B30

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BDE8FE mov eax, dword ptr fs:[00000030h]	6_2_00BDE8FE
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE7CAE mov eax, dword ptr fs:[00000030h]	6_2_00BE7CAE
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE7CF2 mov eax, dword ptr fs:[00000030h]	6_2_00BE7CF2
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE7C6A mov eax, dword ptr fs:[00000030h]	6_2_00BE7C6A
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BE7D23 mov eax, dword ptr fs:[00000030h]	6_2_00BE7D23

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00B5463F GetProcessHeap,

6_2_00B5463F

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BC9018 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00BC9018
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BC93F2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00BC93F2
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BCD453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00BCD453
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: 6_2_00BC9586 SetUnhandledExceptionFilter,	6_2_00BC9586
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B48232D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF6B48232D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 10_2_00007FF6B482EC7C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00007FF6B482EC7C
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE92DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF7F9EE92DC
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE4200 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00007FF7F9EE4200
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE411C SetUnhandledExceptionFilter,	13_2_00007FF7F9EE411C
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 13_2_00007FF7F9EE3F78 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF7F9EE3F78

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\runonce.exe base: 1F38A9E0000 protect: page read and write
Source: C:\Windows\System32\runonce.exe	Memory allocated: C:\Windows\System32\grpconv.exe base: 28D1F6A0000 protect: page read and write

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\runonce.exe base: 1F38A9E0000
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\runonce.exe base: ADFE50E2D8
Source: C:\Windows\System32\runonce.exe	Memory written: C:\Windows\System32\grpconv.exe base: 28D1F6A0000
Source: C:\Windows\System32\runonce.exe	Memory written: C:\Windows\System32\grpconv.exe base: ED098F62D8

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100" -i -v -d -se=true	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\Downloads\faststone-capture.exe "C:\Users\user\Downloads\faststone-capture.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://en.download.it/?typ=1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\gngnwua3.exe "C:\Users\user\AppData\Local\Temp\gngnwua3.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7508 -ip 7508
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7508 -ip 7508
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 2416
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: C:\Windows\System32\wevtutil.exe
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Process created: unknown unknown
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
Source: C:\Program Files\McAfee\WebAdvisor\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-4ku9h.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-4ku9h.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&is_silent=true&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100&b=ch&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241004004446&oc=zb_rav_cross_tri_ncb&p=f4cc&a=100" -i -v -d -se=true			Jump to behavior

Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp, faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SHELL_TRAYWND
Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp, faststone-capture.exe, 0000000E.00000002.2479032736.0000000002A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndU
Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROGMAN
Source: faststone-capture.exe, 0000000E.00000002.2479032736.00000000026E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SHELL_TRAYWNDU

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BC9215 cpuid

6_2_00BC9215

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_00BE45DA
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00BEC9ED
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00BEC907
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00BEC952
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_00BECA80
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_00BECCE0
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00BECE06
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00BECFDB
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	6_2_00BECF0C
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoEx,	6_2_00BC7E28
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	6_2_00BE3F6D
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,	10_2_00007FF6B48223AC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	10_2_00007FF6B484CDD4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: _invalid_parameter_noinfo_noreturn,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetCurrentProcess,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	10_2_00007FF6B47D8D50
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	10_2_00007FF6B4840580
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	10_2_00007FF6B484CEA4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,	10_2_00007FF6B47DA1D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_00007FF6B484D2DC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,	10_2_00007FF6B47F0300
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoW,	10_2_00007FF6B4840B18
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	10_2_00007FF6B484CA78
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_00007FF6B484D4C0

Queries the product ID of Windows

Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\loader.gif VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\mainlogo.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\RAV_Cross.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\WebAdvisor.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\finish.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsStubLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\Microsoft.Win32.TaskScheduler.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\dl3\83045e6a\f22e8fd7_7ce2da01\rsStubLib.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsJSON.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\dl3\3279713d\e5e93253_1816db01\rsJSON.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsLogger.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\dl3\560cc5c9\bf374153_1816db01\rsLogger.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\rsAtom.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\dl3\2a4e26eb\c3de1452_1816db01\rsAtom.DLL VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsTime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\faststone-capture.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsLogger.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\Microsoft.Win32.TaskScheduler.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\8fad615d\f22e8fd7_7ce2da01\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsJSON.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\323c826f\c15f89b8_1816db01\rsJSON.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsLogger.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\7c1d608a\dc4b95b8_1816db01\rsLogger.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsAtom.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\bc430c3e\6eb97cb6_1816db01\rsAtom.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsTime.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\71b8cdb8\af99a3b8_1816db01\rsTime.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\ecdbbd26\813154b6_1816db01\Newtonsoft.Json.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsServiceController.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\dl3\79fde9ce\e7d49eb8_1816db01\rsServiceController.DLL VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Queries time zone information

Source: C:\Windows\System32\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Code function: 6_2_00BE4619 GetSystemTimeAsFileTime,

6_2_00BE4619

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 10_2_00007FF6B4846E94 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

10_2_00007FF6B4846E94

Source: C:\Users\user\Downloads\faststone-capture.exe

14_2_004035D8

Source: C:\Users\user\AppData\Local\Temp\is-AFUIB.tmp\faststone-capture_voLss-1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Local\Temp\is-4KU9H.tmp\prod1_extract\saBSI.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 22.2.UnifiedStub-installer.exe.1d88ab00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e05c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e48200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e25c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e22e00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e28200.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e42e00.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e45c00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e02e00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e20000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e08200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2300817369.000001D88AB02000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2309181808.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2278728649.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\QUUPOPSC\rsServiceController.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Detections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\BXIH37RF\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\3YWFLCQ0\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\9990JN8Z\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsCamilla.Runtime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\LULGB13J\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\1CPSKOY1\rsJSON.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Updater.dll, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Program Files\McAfee\WebAdvisor\servicehost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\UnifiedStub-installer.exe	File opened: C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Program Files\McAfee\WebAdvisor\uihost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 22.2.UnifiedStub-installer.exe.1d88ab00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e05c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e48200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e25c00.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e22e00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e28200.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e42e00.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.Stub.exe.2e45c00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e02e00.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.gngnwua3.exe.2e20000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Stub.exe.2e08200.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2302339753.000001D88C3CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2300817369.000001D88AB02000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2309181808.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2166622369.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2278728649.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\QUUPOPSC\rsServiceController.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Detections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnDemand.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Helper.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.Browsers.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsExtensionHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.OnAccess.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\InstallerLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Self.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Wsc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.BTScan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Performance.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\BXIH37RF\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\3YWFLCQ0\rsLogger.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\f2a95101-dee8-489a-a961-aaecfc79465b\UnifiedStub-installer.exe\assembly\tmp\9990JN8Z\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsServiceController.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.UDI.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Programs.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Scan.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsCamilla.Runtime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsWSC.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS85E81A5E\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\LULGB13J\rsAtom.DLL, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Protection.Camera.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\mc.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Loggers.Business.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngineSvc.Externals.RPC.RPCClient.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\EDR\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Features.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Data.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Core.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsClient.Protection.Microphone.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsHelper.RPC.RPCServer.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Quarantine.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CF8009D\f738c882-2653-4de8-b46e-4c109646600f\UnifiedStub-installer.exe\assembly\tmp\1CPSKOY1\rsJSON.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zSC4B5454E\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\ReasonLabs\EPP\133736644726034605\rsEngine.Updater.dll, type: DROPPED

ID:	1525397
Product:	CloudBasic
Start time:	06:42:44
Start date:	04.10.2024
Sample:	faststone-capture_voLss-1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d8ad93ef2790aa264ab569f5ba8a67cb
SHA1:	67b01f6a855b6c5def8863b0d2ef157a44762a28
SHA256:	94375dbac8e6dfd152a3c3b9e33d1c6fc18d5f86e2b486124cc4f67dbef68ce6
Filetype:	Win32 Executable (generic) a (10002005/4) 98.04%

Windows Analysis Report faststone-capture_voLss-1.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Cryptography

Privilege Escalation

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
faststone-capture_voLss-1.exe