6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd

Analysis

max time kernel
242s
max time network
542s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 19:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

LDPlayer4_es_1405_ld.exe
Size

3.3MB
MD5

7c2e5ef59e9589422bcd5bf3726fbcb1
SHA1

c4dac6966ac4cd3500d6a7fe44138a0db639d507
SHA256

6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd
SHA512

28870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45
SSDEEP

49152:XZi5hu7I/BzfK/ZHg1pHtOUYqP3CFOrtG/RR9sXafgkDFMVR9C1UhPJXMK701hOw:XI5ht/BzfKW1t0xOouBiCV2Ht

Score

8^/10

discovery evasion exploit persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubDefCertInit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Encode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage"	regsvr32.exe

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
5812	takeown.exe
1592	takeown.exe
1624	icacls.exe
1016	icacls.exe
5576	takeown.exe
5396	icacls.exe
4924	takeown.exe
2328	icacls.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5812	takeown.exe
1592	takeown.exe
1624	icacls.exe
1016	icacls.exe
5576	takeown.exe
5396	icacls.exe
4924	takeown.exe
2328	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	LDPlayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	UIHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\onboardingballoon.js	installer.exe
File created	C:\Program Files\ldplayerbox\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\Temp3563107506\mfw.cab	Conhost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-pt-BR.js	installer.exe
File created	C:\Program Files\ldplayerbox\x86\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\score\wa-score-toast-h.css	installer.exe
File created	C:\Program Files\ldplayerbox\GLES_CM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayerbox\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayerbox\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\triggeracceptor.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp3563107506\wa_install_error.png	Conhost.exe
File created	C:\Program Files\ldplayerbox\x86\dasync.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\dimensionprocessor.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp3563107506\wa-install.html	Conhost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\wa-ui-uninstall.js	installer.exe
File created	C:\Program Files\McAfee\Temp3563107506\jslang\eula-fr-CA.txt	Conhost.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport.js	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Temp3563107506\jslang\eula-nb-NO.txt	Conhost.exe
File created	C:\Program Files\ldplayerbox\tstAsmStructsRC.exe	dnrepairer.exe
File created	C:\Program Files\ldplayerbox\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\open_sideloaded_ext_alert_guide.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\tooltip_img_1_3.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_score_toast_increase_bg_left.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\white_check.png	installer.exe
File created	C:\Program Files\ldplayerbox\LdVBoxDrv.sys	dnrepairer.exe
File created	C:\Program Files\ldplayerbox\x86\api-ms-win-crt-process-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\eventformatter.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\edgeonboarding.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wsscspid.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\adblockcounter.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-hu-HU.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp3563107506\jslang\wa-res-install-ko-KR.js	Conhost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\rules.js	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Temp3563107506\jslang\wa-res-install-de-DE.js	Conhost.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\uwp_storage.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\providers\yahoo.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp3563107506\jquery-1.9.0.min.js	Conhost.exe
File created	C:\Program Files\ldplayerbox\x86\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayerbox\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\card_bg_image.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\securesearchstatechange.luc	installer.exe
File created	C:\Program Files\ldplayerbox\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-hu-HU.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\dictionary.json	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Temp3563107506\jslang\wa-res-install-hu-HU.js	Conhost.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\amazon_upsell_handler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\Temp3563107506\jslang\wa-res-shared-sv-SE.js	Conhost.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\toggle_on.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\warning-icon-toast.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-options.html	installer.exe
File created	C:\Program Files\ldplayerbox\platforms\qminimal.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Conhost.exe

Executes dropped EXE 13 IoCs

pid	Process
2512	saBSI.exe
4296	LDPlayer.exe
4828	Conhost.exe
3796	installer.exe
3216	ServiceHost.exe
4648	UIHost.exe
4892	ServiceHost.exe
2008	ServiceHost.exe
3764	ServiceHost.exe
5640	dnrepairer.exe
5188	Conhost.exe
4908	LdVBoxSVC.exe
2516	ServiceHost.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3664	sc.exe
2548	sc.exe
4012	sc.exe
468	sc.exe
1612	sc.exe
4212	sc.exe
1444	sc.exe
5792	sc.exe
6048	sc.exe
2044	sc.exe
4788	sc.exe
220	sc.exe
5416	sc.exe
1176	sc.exe
1492	sc.exe
7716	sc.exe
7780	sc.exe
4372	sc.exe
6000	sc.exe
7664	sc.exe
5692	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
4436	regsvr32.exe
1320	regsvr32.exe
2060	regsvr32.exe
3216	ServiceHost.exe
4344	regsvr32.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
4648	UIHost.exe
4648	UIHost.exe
3216	ServiceHost.exe
4892	ServiceHost.exe
4892	ServiceHost.exe
4892	ServiceHost.exe
4892	ServiceHost.exe
4892	ServiceHost.exe
2008	ServiceHost.exe
2008	ServiceHost.exe
2008	ServiceHost.exe
2008	ServiceHost.exe
2008	ServiceHost.exe
3764	ServiceHost.exe
3764	ServiceHost.exe
3764	ServiceHost.exe
3764	ServiceHost.exe
3764	ServiceHost.exe
5640	dnrepairer.exe
5640	dnrepairer.exe
5640	dnrepairer.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
5188	Conhost.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
4908	LdVBoxSVC.exe
5560	Conhost.exe

Registers COM server for autorun 1 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-c9d2-4f11-a384-53f0cf917214}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayerbox\\VBoxC.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayerbox\\VBoxProxyStub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayerbox\\LdVBoxSVC.exe\""	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayerbox\\VBoxC.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 20 IoCs

evasion

pid	Process
5580	taskkill.exe
5064	taskkill.exe
5024	taskkill.exe
4820	taskkill.exe
1980	taskkill.exe
5716	taskkill.exe
5820	taskkill.exe
3748	taskkill.exe
388	taskkill.exe
4648	taskkill.exe
5116	taskkill.exe
4464	taskkill.exe
2864	taskkill.exe
4700	taskkill.exe
4476	taskkill.exe
4460	taskkill.exe
2052	taskkill.exe
5760	taskkill.exe
3376	taskkill.exe
5376	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4A9E-43F4-B7A7-54BD285E22F4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-2354-4267-883F-2F417D216519}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-477A-2497-6759-88B8292A5AF0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4325-9A83-83CF-3FAF5B97457C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20190809-c9d2-4f11-a384-53f0cf917214}\TypeLib\ = "{20190809-1750-46f0-936e-bd127d5bc264}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-6B76-4805-8FAB-00A9DCF4732B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-23D0-430A-A7FF-7ED7F05534BC}\ = "INATNetworkPortForwardEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-8CE7-469F-A4C2-6476F581FF72}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-404C-F24A-3CC1-EE9501D44F2A}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-7006-40D4-B339-472EE3801844}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-8F30-401B-A8CD-FE31DBE839C0}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-3C72-4BBB-95CF-5EB4947A4041}\ = "IDisplay"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4477-787D-60B2-3FA70E56FBBC}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-69C8-45A0-88D9-F7F070960718}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-E9BB-49B3-BFC7-C5171E93EF38}\ = "IGuestProcessIOEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-057D-4391-B928-F14B06B710C5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-F6D4-4AB6-9CBF-558EB8959A6A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-921B-4F2A-7801-0CC5EC28CDAE}\NumMethods\ = "4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-2D12-4D7C-BA6D-CE51D0D5B265}\ = "IBandwidthGroup"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4810-E174-4F78-199376C63BBE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-B7DB-4616-AAC6-CFB94D89BA78}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-0C55-47B1-AA64-D340A396B418}\NumMethods\ = "34"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-C9D6-4742-957C-A6FD52E8C4AE}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-EABD-4FA6-960A-F1756C99EA1C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-43E0-E9D0-82E8-CEB307940DDA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20190809-1750-46F0-936E-BD127D5BC264}\1.3\ = "VirtualBox Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-453A-6F98-9CB9-2DA2CB8EABB5}\NumMethods\ = "27"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-CF37-453B-9289-3B0F521CAF27}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-799A-4489-86CD-FE8E45B2FF8E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-4325-9A83-83CF-3FAF5B97457C}\NumMethods\ = "26"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-34B8-42D3-ACFB-7E96DAF77C22}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-8079-447A-A33E-47A69C7980DB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-E594-4E18-9222-B5E83A23F1DA}\ = "ISharedFolder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-83C7-4F2B-A323-9A97F46F4E29}\ = "IUSBDevice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-486F-40DB-9150-DEEE3FD24189}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-BCB2-4905-A7AB-CC85448A742B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-1BCF-4218-9807-04E036CC70F1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-35F3-4F4D-B5BB-ED0ECEFD8538}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-35F3-4F4D-B5BB-ED0ECEFD8538}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4A0F-F9D2-5BEF-F9B25B6557ED}\ = "IMousePointerShape"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-3C72-4BBB-95CF-5EB4947A4041}\NumMethods\ = "32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-9B2D-4377-BFE6-9702E881516B}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-F52F-43B9-99E8-4A3C226CBE2D}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-B45C-48AE-8B36-D35E83D207AA}\ = "IFramebuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-9536-4EF8-820E-3B0E17E5BBC8}\ = "IGuestFileIOEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-D612-47D3-89D4-DB3992533948}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-0C55-47B1-AA64-D340A396B418}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-83C7-4F2B-A323-9A97F46F4E29}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4A75-7BD5-C124-259ACBA3C41D}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-AE84-4B8E-B0F3-5C20C35CAAC9}\ = "IStorageDeviceChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-42F8-CD96-7570-6A8800E3342C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20190809-26c0-4fe1-bf6f-67f633265bba}\TypeLib\ = "{20190809-1750-46f0-936e-bd127d5bc264}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-453A-6F98-9CB9-2DA2CB8EABB5}\ = "IVRDEServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-405D-41AF-8508-46889144D067}\NumMethods\ = "21"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-AE84-4B8E-B0F3-5C20C35CAAC9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-1BCF-4218-9807-04E036CC70F1}\ = "IProgressPercentageChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-4506-50CA-045A-23A0E32EA508}\NumMethods	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2512	saBSI.exe
2512	saBSI.exe
2508	LDPlayer4_es_1405_ld.exe
2512	saBSI.exe
2512	saBSI.exe
2512	saBSI.exe
2512	saBSI.exe
2512	saBSI.exe
2512	saBSI.exe
2512	saBSI.exe
2512	saBSI.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
2508	LDPlayer4_es_1405_ld.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
4296	LDPlayer.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
3216	ServiceHost.exe
4648	UIHost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	LDPlayer4_es_1405_ld.exe
Token: SeShutdownPrivilege	2508	LDPlayer4_es_1405_ld.exe
Token: SeCreatePagefilePrivilege	2508	LDPlayer4_es_1405_ld.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeTakeOwnershipPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe
Token: SeDebugPrivilege	4296	LDPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2864	2508	LDPlayer4_es_1405_ld.exe	109
PID 2508 wrote to memory of 2864	2508	LDPlayer4_es_1405_ld.exe	109
PID 2508 wrote to memory of 2864	2508	LDPlayer4_es_1405_ld.exe	109
PID 2508 wrote to memory of 4820	2508	LDPlayer4_es_1405_ld.exe	112
PID 2508 wrote to memory of 4820	2508	LDPlayer4_es_1405_ld.exe	112
PID 2508 wrote to memory of 4820	2508	LDPlayer4_es_1405_ld.exe	112
PID 2508 wrote to memory of 388	2508	LDPlayer4_es_1405_ld.exe	114
PID 2508 wrote to memory of 388	2508	LDPlayer4_es_1405_ld.exe	114
PID 2508 wrote to memory of 388	2508	LDPlayer4_es_1405_ld.exe	114
PID 2508 wrote to memory of 4460	2508	LDPlayer4_es_1405_ld.exe	116
PID 2508 wrote to memory of 4460	2508	LDPlayer4_es_1405_ld.exe	116
PID 2508 wrote to memory of 4460	2508	LDPlayer4_es_1405_ld.exe	116
PID 2508 wrote to memory of 4296	2508	LDPlayer4_es_1405_ld.exe	119
PID 2508 wrote to memory of 4296	2508	LDPlayer4_es_1405_ld.exe	119
PID 2508 wrote to memory of 4296	2508	LDPlayer4_es_1405_ld.exe	119
PID 2512 wrote to memory of 4828	2512	saBSI.exe	163
PID 2512 wrote to memory of 4828	2512	saBSI.exe	163
PID 4296 wrote to memory of 4648	4296	LDPlayer.exe	143
PID 4296 wrote to memory of 4648	4296	LDPlayer.exe	143
PID 4296 wrote to memory of 4648	4296	LDPlayer.exe	143
PID 4828 wrote to memory of 3796	4828	Conhost.exe	123
PID 4828 wrote to memory of 3796	4828	Conhost.exe	123
PID 4296 wrote to memory of 2052	4296	LDPlayer.exe	125
PID 4296 wrote to memory of 2052	4296	LDPlayer.exe	125
PID 4296 wrote to memory of 2052	4296	LDPlayer.exe	125
PID 4296 wrote to memory of 1980	4296	LDPlayer.exe	127
PID 4296 wrote to memory of 1980	4296	LDPlayer.exe	127
PID 4296 wrote to memory of 1980	4296	LDPlayer.exe	127
PID 3796 wrote to memory of 4372	3796	installer.exe	128
PID 3796 wrote to memory of 4372	3796	installer.exe	128
PID 3796 wrote to memory of 4392	3796	installer.exe	130
PID 3796 wrote to memory of 4392	3796	installer.exe	130
PID 4392 wrote to memory of 4436	4392	regsvr32.exe	131
PID 4392 wrote to memory of 4436	4392	regsvr32.exe	131
PID 4392 wrote to memory of 4436	4392	regsvr32.exe	131
PID 3796 wrote to memory of 1320	3796	installer.exe	132
PID 3796 wrote to memory of 1320	3796	installer.exe	132
PID 3796 wrote to memory of 3664	3796	installer.exe	187
PID 3796 wrote to memory of 3664	3796	installer.exe	187
PID 3796 wrote to memory of 4212	3796	installer.exe	134
PID 3796 wrote to memory of 4212	3796	installer.exe	134
PID 3796 wrote to memory of 2864	3796	installer.exe	174
PID 3796 wrote to memory of 2864	3796	installer.exe	174
PID 3796 wrote to memory of 2548	3796	installer.exe	139
PID 3796 wrote to memory of 2548	3796	installer.exe	139
PID 2864 wrote to memory of 2060	2864	Conhost.exe	138
PID 2864 wrote to memory of 2060	2864	Conhost.exe	138
PID 2864 wrote to memory of 2060	2864	Conhost.exe	138
PID 3796 wrote to memory of 4344	3796	installer.exe	140
PID 3796 wrote to memory of 4344	3796	installer.exe	140
PID 3216 wrote to memory of 4648	3216	ServiceHost.exe	143
PID 3216 wrote to memory of 4648	3216	ServiceHost.exe	143
PID 4296 wrote to memory of 4700	4296	LDPlayer.exe	156
PID 4296 wrote to memory of 4700	4296	LDPlayer.exe	156
PID 4296 wrote to memory of 4700	4296	LDPlayer.exe	156
PID 4296 wrote to memory of 5716	4296	LDPlayer.exe	159
PID 4296 wrote to memory of 5716	4296	LDPlayer.exe	159
PID 4296 wrote to memory of 5716	4296	LDPlayer.exe	159
PID 4296 wrote to memory of 5760	4296	LDPlayer.exe	161
PID 4296 wrote to memory of 5760	4296	LDPlayer.exe	161
PID 4296 wrote to memory of 5760	4296	LDPlayer.exe	161
PID 4296 wrote to memory of 5820	4296	LDPlayer.exe	162
PID 4296 wrote to memory of 5820	4296	LDPlayer.exe	162
PID 4296 wrote to memory of 5820	4296	LDPlayer.exe	162

C:\Users\Admin\AppData\Local\Temp\LDPlayer4_es_1405_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer4_es_1405_ld.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- - C:\Windows\SysWOW64\regsvr32.exe
    /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayerex.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM bugreport.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\LDPlayer\LDPlayer4.0\LDPlayer.exe
  "C:\LDPlayer\LDPlayer4.0\\LDPlayer.exe" -silence -downloader -openid=1405 -language=es -path="C:\LDPlayer\LDPlayer4.0\"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
    3⤵
    - Kills process with taskkill
    PID:4648
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM fynews.exe
    3⤵
    - Kills process with taskkill
    PID:2052
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM ldnews.exe
    3⤵
    - Kills process with taskkill
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM LdVBoxHeadless.exe /T
    3⤵
    - Kills process with taskkill
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM LdVBoxSVC.exe /T
    3⤵
    - Kills process with taskkill
    PID:5716
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM VirtualBox.exe /T
    3⤵
    - Kills process with taskkill
    PID:5760
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM VBoxManage.exe /T
    3⤵
    - Kills process with taskkill
    PID:5820
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4828
- - C:\LDPlayer\LDPlayer4.0\dnrepairer.exe
    "C:\LDPlayer\LDPlayer4.0\dnrepairer.exe" listener=1048688
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    PID:5640
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        
        PID:1220
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:672
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:3868
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      PID:4972
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:5100
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer4.0\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4924
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer4.0\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2328
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM LdVBoxHeadless.exe /T
      4⤵
      Kills process with taskkill
      PID:4476
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM LdVBoxSVC.exe /T
      4⤵
      Kills process with taskkill
      PID:3376
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM VirtualBox.exe /T
      4⤵
      Kills process with taskkill
      PID:5116
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM VBoxManage.exe /T
      4⤵
      Kills process with taskkill
      PID:3748
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\6ACBC0F7-E0F3-46DA-9183-964F87CE9637\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\6ACBC0F7-E0F3-46DA-9183-964F87CE9637\dismhost.exe {6E51807A-5C2A-41C4-9503-D786FCD11DAB}
        5⤵
        
        PID:5188
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      PID:220
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      PID:5692
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      PID:4788
  - - C:\Program Files\ldplayerbox\LdVBoxSVC.exe
      "C:\Program Files\ldplayerbox\LdVBoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4908
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\VBoxC.dll" /s
      4⤵
      PID:5560
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\x86\VBoxClient-x86.dll" /s
      4⤵
      PID:5472
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\VBoxProxyStub.dll" /s
      4⤵
      Registers COM server for autorun
      Modifies registry class
      PID:5520
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Modifies registry class
      PID:5480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "LDVBox" -Direction Inbound -Program 'C:\Program Files\ldplayerbox\LdVBoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start LdVBoxDrv
      4⤵
      Launches sc.exe
      PID:5416
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create LdVBoxDrv binPath= "C:\Program Files\ldplayerbox\LdVBoxDrv.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:4012
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnmultiplayerex.exe
    3⤵
    - Kills process with taskkill
    PID:5376
- - C:\LDPlayer\LDPlayer4.0\driverconfig.exe
    "C:\LDPlayer\LDPlayer4.0\driverconfig.exe"
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f "C:\LDPlayer\ldmutiplayer\" /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5812
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1592
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\LDPlayer\ldmutiplayer\" /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1624
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1016
- C:\LDPlayer\LDPlayer4.0\dnplayer.exe
  "C:\LDPlayer\LDPlayer4.0\\dnplayer.exe"
  2⤵
  PID:3444
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    PID:1176
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    PID:1492
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    PID:468
- - C:\Program Files\ldplayerbox\vbox-img.exe
    "C:\Program Files\ldplayerbox\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer4.0\vms\leidian0\system.vmdk" --uuid {20160302-bbbb-bbbb-06e3-000000000000}
    3⤵
    PID:6564
- - C:\Program Files\ldplayerbox\vbox-img.exe
    "C:\Program Files\ldplayerbox\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer4.0\vms\leidian0\data.vmdk" --uuid {20160302-cccc-cccc-06e3-000000000000}
    3⤵
    PID:8120
- - C:\Program Files\ldplayerbox\vbox-img.exe
    "C:\Program Files\ldplayerbox\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer4.0\vms\leidian0\sdcard.vmdk" --uuid {20160302-dddd-dddd-06e3-000000000000}
    3⤵
    PID:5088
- - C:\LDPlayer\LDPlayer4.0\dnrepairer.exe
    "C:\LDPlayer\LDPlayer4.0\dnrepairer.exe" cmd=fixError|playerid=0|errorcode=13|subcode=-2147467259|reportid={2C9661E6-7378-4493-B26A-3AAF4296C0F3}|vtstate=1
    3⤵
    PID:5976
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      PID:5232
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        
        PID:5536
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      PID:3424
  - - C:\Program Files\ldplayerbox\regsvr32_x86.exe
      "C:\Program Files\ldplayerbox\regsvr32_x86.exe" Initpki.dll /s
      4⤵
      PID:5056
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      PID:6100
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer4.0\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5576
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer4.0\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5396
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM LdVBoxHeadless.exe /T
      4⤵
      Kills process with taskkill
      PID:4464
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM LdVBoxSVC.exe /T
      4⤵
      Kills process with taskkill
      PID:5580
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM VirtualBox.exe /T
      4⤵
      Kills process with taskkill
      PID:5064
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM VBoxManage.exe /T
      4⤵
      Kills process with taskkill
      PID:5024
  - - C:\Program Files\ldplayerbox\LdVBoxSVC.exe
      "C:\Program Files\ldplayerbox\LdVBoxSVC.exe" /UnregServer
      4⤵
      PID:3548
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\x86\VBoxClient-x86.dll" /s /u
      4⤵
      PID:6124
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\VBoxC.dll" /s /u
      4⤵
      PID:5196
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" query LdBoxNetLwf
      4⤵
      Launches sc.exe
      PID:1444
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" stop LdVBoxDrv
      4⤵
      Launches sc.exe
      PID:5792
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" delete LdVBoxDrv
      4⤵
      Launches sc.exe
      PID:6000
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" stop LdBoxNetLwf
      4⤵
      Launches sc.exe
      PID:6048
  - - C:\Program Files\ldplayerbox\NetLwfUninstall.exe
      "C:\Program Files\ldplayerbox\NetLwfUninstall.exe"
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      PID:6200
    - - C:\Users\Admin\AppData\Local\Temp\447199CE-99BF-4606-9030-397901823A80\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\447199CE-99BF-4606-9030-397901823A80\dismhost.exe {FBA3AFFE-3A3D-42A3-894E-B7071B0229A4}
        5⤵
        
        PID:6880
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      PID:7664
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      PID:7716
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      PID:7780
  - - C:\Program Files\ldplayerbox\LdVBoxSVC.exe
      "C:\Program Files\ldplayerbox\LdVBoxSVC.exe" /RegServer
      4⤵
      PID:5576
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\VBoxC.dll" /s
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\x86\VBoxClient-x86.dll" /s
      4⤵
      PID:5764
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\VBoxProxyStub.dll" /s
      4⤵
      PID:5396
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayerbox\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      PID:3344
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create LdVBoxDrv binPath= "C:\Program Files\ldplayerbox\LdVBoxDrv.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:1612
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start LdVBoxDrv
      4⤵
      Launches sc.exe
      PID:2044
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "LDVBox" -Direction Inbound -Program 'C:\Program Files\ldplayerbox\LdVBoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:5484

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
  2⤵
  PID:4828
- - C:\Program Files\McAfee\Temp3563107506\installer.exe
    "C:\Program Files\McAfee\Temp3563107506\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\SYSTEM32\sc.exe
      sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
      4⤵
      Launches sc.exe
      PID:4372
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        5⤵
        Loads dropped DLL
        
        PID:4436
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:1320
  - - C:\Windows\SYSTEM32\sc.exe
      sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
      4⤵
      Launches sc.exe
      PID:4212
  - - C:\Windows\SYSTEM32\sc.exe
      sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
      4⤵
      Launches sc.exe
      PID:3664
  - - C:\Windows\SYSTEM32\sc.exe
      sc.exe start "McAfee WebAdvisor"
      4⤵
      Launches sc.exe
      PID:2548
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:4344
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
      4⤵
      PID:2864

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4648

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4892

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2008

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:3764

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2516
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  PID:2388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x318
1⤵
PID:5732

C:\Program Files\ldplayerbox\LdVBoxSVC.exe
"C:\Program Files\ldplayerbox\LdVBoxSVC.exe" -Embedding
1⤵
PID:3548
- C:\Program Files\ldplayerbox\LdVBoxHeadless.exe
  "C:\Program Files\ldplayerbox\LdVBoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-06e3-000000000000 --vrde config
  2⤵
  PID:4960
- C:\Program Files\ldplayerbox\LdVBoxHeadless.exe
  "C:\Program Files\ldplayerbox\LdVBoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-06e3-000000000000 --vrde config
  2⤵
  PID:5636
- C:\Program Files\ldplayerbox\LdVBoxHeadless.exe
  "C:\Program Files\ldplayerbox\LdVBoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-06e3-000000000000 --vrde config
  2⤵
  PID:5152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Loads dropped DLL
    PID:5560
- C:\Program Files\ldplayerbox\LdVBoxHeadless.exe
  "C:\Program Files\ldplayerbox\LdVBoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-06e3-000000000000 --vrde config
  2⤵
  PID:5280
- C:\Program Files\ldplayerbox\LdVBoxHeadless.exe
  "C:\Program Files\ldplayerbox\LdVBoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-06e3-000000000000 --vrde config
  2⤵
  PID:3568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
PID:5188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ee055 /state1:0x41c64e6d
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer4.0\LDPlayer.exe

Filesize
920KB

MD5
4b66ba674fc112c55e615cac9935530a

SHA1
90ba5726016d7a1fcb36e3abf4f42318c3751839

SHA256
27e8f5557632758ed02c239595e90dff0099627bdff61861c086abd9ab30b8da

SHA512
9dc949e86e26b570f77c131cf0d46ec5ea61144d108b76e265c0770fbab36f0164e2baaa926bc8121baf5f03140f9f8ddf818a9d1d32c6ca01f665a0657324fd

Download Submit
C:\LDPlayer\LDPlayer4.0\LDPlayer.exe

Filesize
938KB

MD5
bcaaad90b0c2695f30235dfab96e8217

SHA1
4a7b3f0749302d54734f51840172dc5ebd876179

SHA256
b8dc8d79063eab23ec84f3855351516174a468dc29398e27de723e824e397729

SHA512
62be14a84d74bb988eba9ef47143c5c48c1bbfe9931ffce5b78da06720adc9335612dc5040ced3e9a99f9f365aa86a00d6a59630ee3809bf7474e1f238662042

Download Submit
C:\LDPlayer\LDPlayer4.0\dnmultiplayer.exe

Filesize
383KB

MD5
7d092a874675729b9527505cbadf5d3d

SHA1
a6cc6f86a6ca1365156691435f48fac796337170

SHA256
5c53b51bae878d0d64a346e53e975e3e280a86b831b51462556d0b02eb4db468

SHA512
63858357391af1dca383406287c88d485783b4b932489805285015e2b6476635395c0caa72579971997635f3427c69c15babe98f323ad2ce14af07774e305a2d

Download Submit
C:\LDPlayer\LDPlayer4.0\dnplayer.exe

Filesize
296KB

MD5
7aaefbd28f274cd49816c8cf52cd4c6b

SHA1
e68e28441581ad81647d985fd2f754035f75fc67

SHA256
b7693023970e7f7af6e3583750e0cabceda3ed03d845023d7ec96a9450c57682

SHA512
1e24069fb303ba4ad5f47363bf54a93e78344ead60362f0628156120da23c7f3f665a6257651e7d62c84cfc11046de34db9441e751b363730f4f4c2e71db4f0d

Download Submit
C:\LDPlayer\LDPlayer4.0\fonts\NotoSans-Regular.otf

Filesize
134KB

MD5
9851508b01cb7b3792334a7cd925689e

SHA1
af155378e2ebc249db4a453ccaaf6e01a8c0e6fd

SHA256
9b2bde0919d3ae1d11685dfb74cfa26c9a2128add42976450086f5ff0353b9da

SHA512
99a0db1dcb2e2602d4802e4f92e9878b3ed7fb67b8e78f75dc174b4ed6d80d68dd0c3b27e9eed3adf7a5e73286f5fae73e32173583240c0323c21fd88e2456e0

Download Submit
C:\LDPlayer\LDPlayer4.0\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\LDPlayer\LDPlayer4.0\ldmutiplayer\7za.exe

Filesize
108KB

MD5
6d261345c475de290b51b77cb74fa790

SHA1
9163f2b1bded981fc5159512f07d209b03f8a3da

SHA256
fed7e58515f0f95f49f8b65cbc673bc0e57b56a4fd2b8ac443243363de20cbfa

SHA512
ca8d6d81598f2dc346663b153a2fda30c80de7167f1d082768315701c2e596c023a36995cf7cf255332ea285e69418ffbb950fb279aa18f2835aa40b83c527a9

Download Submit
C:\LDPlayer\LDPlayer4.0\ldmutiplayer\cximagecrt.dll

Filesize
180KB

MD5
456e24a4d76b535c27812cb5b3ea9199

SHA1
6625e7397a26fda5435a6b3065b5dc797d41aae8

SHA256
94c4ec35f30581db5abbce371bd8f3891654f1f249d5dcb77a0d9dcd6a264627

SHA512
4a79cdbed48626689a41095970de09467b1fbff53af0b0cf1011379e42e11e8ba32faae8d97cb35bbae086c7afc71af03205b09f7a7806a01c56c2a15f091ab8

Download Submit
C:\LDPlayer\LDPlayer4.0\ldmutiplayer\libcurl.dll

Filesize
111KB

MD5
340b4b1baf60a752981aeecd7f4f5ecb

SHA1
5404bb4aeb725d0123501d17836090ae1f14e3c6

SHA256
af2e9d5c125793832c5eaef03e7778cd2c66c67daa7824a2b311cc941f0e16e0

SHA512
2a9488a4379e7e982d84fc149f15e52decbf18a752cec59ef4b4d8521b7828d095e8daefce1838f8beec3eea1b34ceb56ae782a6d981ce68c28afebc40da93d1

Download Submit
C:\LDPlayer\LDPlayer4.0\ldmutiplayer\msvcp110.dll

Filesize
203KB

MD5
de8504c1b4f3aab7499e417adfdca7a1

SHA1
c3628b13ac3364d8d7a209d3785edf0483aec1b7

SHA256
f7e419f78b37332091b4fbc9fbdb33955707b89c5546a899e713eb704d97d042

SHA512
27e64592d764f9d1a21e7b3463a4786c156818832c09336b9e091c7e47fec698545aa0cde3a04ca5127a912c303ed15a30d10d5c425781102bc7790ce707af90

Download Submit
C:\LDPlayer\LDPlayer4.0\ldmutiplayer\msvcr110.dll

Filesize
165KB

MD5
f0b6cfa22642d5226a878fca7d79ca6b

SHA1
5301057c6c20337b056ed2197b18fe37b62939b6

SHA256
23e5660a58d09ef30c8a0a90cf2d6addba1f485ff6217507ce3155e061ec3d7c

SHA512
c7c2b17f17f16d44a358dc9000718c886eb6f031315a90c09da8d9402a646f332dac3a4be402cd8e8ef68377485eb8220a9f5d0205159c93f97781e251d73825

Download Submit
C:\LDPlayer\LDPlayer4.0\ldmutiplayer\ssleay32.dll

Filesize
111KB

MD5
c0053a34d934a82f064b51739ae7e251

SHA1
708dbb54709007c23173809a477e40f2f163a748

SHA256
ac7c1351daef7088dd3d89886bce424de566c535c7e4a9708db63beda52e5a77

SHA512
7a0c44749fef1193cd9301c72e3eb1b7eb2a999477878847cbf3116440419006ec72d6abd7cc36452f48ab8b409104c3ad9ded60d0781648486a398764e9e3e2

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\leidian0\sdcard.vmdk

Filesize
512KB

MD5
99d39121fe4a00200243b8cc92d23700

SHA1
0664eb9f930137cf944fdbeefc4774b4c50db827

SHA256
d50c31b020e2510f2264f4644d64e78bf9cbaa1b8e4edad6a7ea66e75f9ae72f

SHA512
673549d5fa36a192cf852ce7e2182a92e10ef68b8ff2b70df0cc41fbf04d159c205afa92a85cd2b8db4796c13587df665bd260fbf4290fbb665b183b2b3f8d04

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\Cross Fire(challenge).kmp

Filesize
15KB

MD5
a84b069f5e42a7f57c9cbdebeed81f40

SHA1
999097282d9767434067e1ae3811704bb92589c6

SHA256
953b5f074e31c2098da5b339a4bc67bce6304b064f4cf1fff44b62acaaf617f0

SHA512
45c2dfe1be759d1cb1d64ca928eabda5de09c1fdf2fc952d201fd41828466a3914c5b929065de03605330398a12594411eb96aa70ed694ead1e51acd7632ffdf

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\DNF@01(←↑↓→ Model).kmp

Filesize
18KB

MD5
c04b9a82e393a3c5113f9cedcc13fe9a

SHA1
b3b2e24ef5e0e2e8d5045ede2d8ecdb36c94ab8d

SHA256
71c4e70b33cb64a3fc29e62d8a5c3ac39c6aa4b9f04ad4d49665ecd065693c0a

SHA512
f4461c0a244d21928f7300b4e025de0ebe3cf8674474338d94527ad372f9270dc31ba9d5b92083da2561aec1a672a18913dafcaa6f05ce07cbb6b13dcf41f275

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\Hyper Front@02(Mode 1).kmp

Filesize
15KB

MD5
a0860b13776e90685e1dc0f115fafff5

SHA1
45d8c0cf4a202b0b460025a5e19801e6c1abb8dd

SHA256
77051be2b580ba6773b6f37edf20f8cf1de47f9682a684875837dd6235be76b3

SHA512
9132c2a1980084f8abbbcb35a4b26858230788ba2f4efcd9ab09556ff81a010d63074e045bcb103cb348968be7dfa373b95ba13d624715d092c2195fc01171d4

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\PUBG@03(2K Default).kmp

Filesize
32KB

MD5
6a578c88a69ce772cbff87857051df38

SHA1
18e460ab0163305f3cd8a724f1df2e0199a801c8

SHA256
600c458e3955f36f0802598e7a51675962597e1d3c8cf4c2dd9ed25941b5c6b2

SHA512
2db4e45f5ae27a312f802b19f2b56c8f8c4dfb574008b7df83bfafc56da60a05b6ff97d2cd2c105e42d393fd41db2dd2fed949d4981579f3f3ec0090d885f9f2

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\Tom and Jerry[Keyboard operation mode]@01 (Jerry).kmp

Filesize
16KB

MD5
07d721d103540e005fdd784664cfbaa6

SHA1
ef4d304ed3c0162def5e623c87521a47dd323807

SHA256
b41b5b9abe8fd82fb5ac32a3d36e6bc16e5ac40987bc59999c489706431f50e9

SHA512
e2276cd4af34657bb82f44dbedba6df523d788a1c9d24752d3e11925cad73a71e73e1cd8ceafbb45404dd8204267f2ed2ed5793cf73c18bbbb0c5ba4fd73bca4

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\marvel super war[LOL model](3 skill).kmp

Filesize
16KB

MD5
2b335914fba68be3b639af894ca8d380

SHA1
f426729f6b8cfc28af5e92c399a33c1a76d9f7dc

SHA256
18d8fd52a1c193b7e1b989d2e0abbdd054de685acb46bd5337a04963f33d77ba

SHA512
35157c2c9947a552ab1f951497b6df2cd55317cc2e00bb1af25310191139a56177bd5e3abd3be51a16f6f005fcc585a93ad43134e52f2ab919024e29f595f670

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\劍靈革命.kmp

Filesize
18KB

MD5
a770317d87a87b2f84ece2f958cb473b

SHA1
5c8840199cda6ecd2210bb56dd7e282b4b18abd8

SHA256
0711efe6d95f3630b1e1687ed169ba141d95272dfabec29aeaf7fd5347f034cd

SHA512
af2c86b5e66977bc8f7ba040b4e19b62e9e1fc8e340d9a500f8c1ed8010dee38bf99f4328dce3dec212bc958bedabc78a6ab0d45b55310cee78c9deb09ad3e9d

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\灌籃高手@06(KAEDE RUKAWA).kmp

Filesize
12KB

MD5
c6663359083f11a6bddc7a1fbcaa264a

SHA1
ebf1c4102196308d69df6b3ccef8e78de7ed2ef5

SHA256
437ec41da7414e58f96d8d04991cacbdd5ef042bb64f22e787d4ce526b17164f

SHA512
cfdb84d44a3977c3404cf6aea5f416047ffbba84eda461eef081b4eca14bb89ef0eda3e6990db72bdca8ef945c395073a0ee165350585815fdb5be677ed31ba4

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\灌籃高手@06(YOSHINORI MIYAMASU).jmp

Filesize
6KB

MD5
3a1ea631538635231c83fbb0e6b43172

SHA1
793f2f995e22473ed51edf8c819bd137a638a3b8

SHA256
55694d965640d1fd88285eedc4ea1888019d19f921f58b19ca3e6a065bdd8e2d

SHA512
b4a86d6ffc76c31407338a405f65f8c16a18a082a52c5968fc10c6c13f037cec79e90a3b46b00794cb4564a1696d0bc965bc02bbb16abfb88dfe7bab1b6d22ca

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟@01[PC Model](Annie).kmp

Filesize
26KB

MD5
60c3815bfe36f047ec0434926d319ced

SHA1
90f628debbb2bde75ec6939c8a904c21ca05ba14

SHA256
9ec1f1bc3fa1a78374783aea451573c935b4338b737ecd4e17faabdf801195ec

SHA512
095471941ba9ca0eeec27a156ebcce360c10afd9cb8e926e4af755d6e69f3513fae28c1140056016b3768172684418ece1d51b4440a2f693ef1c4d57a4732b75

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟@01[PC Model].kmp

Filesize
27KB

MD5
9428775132f0283a87811f3af2ad2665

SHA1
bc2c735c1a4465a8330eb6667de95d0e5135920f

SHA256
bdf12a17e6ae1c7489c43030b2a951bf293eb67ee2c4980a3024432f41ce1017

SHA512
6980a4e8d333fcefc52dbdeafb1df4c8c7a459bce89851e7a50a940f45c666eb9e921a8a0efdb8720b1d4b2c1dcf04db945f2b2484b76d417f064344b62cd504

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟@02[WASD Model](Aurelion Sol).kmp

Filesize
23KB

MD5
e4765481e0f9bb9f97ee64b2987538e1

SHA1
f743b059b3f5c90f470dac43a4cd7a9cdd769175

SHA256
3bdcbbb5bb7e7ad314d998102b9167db29fe0fee899f77dcc6bc0d69c1ccfaa6

SHA512
94a598e37cec4e62931eb205b8a0c918dcf89af3e9cd61bb5cf58c15a0886b69d72231d679c4ace820e70446da2823c7912c33e1d69766686249d9b3b3cdf286

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟@02[WASD Model](Gragas).kmp

Filesize
23KB

MD5
5ded88ce9d7367113a78b8c336df4673

SHA1
a51a4a26cad36d5fb534cec1ab4b7a9b824e2ec2

SHA256
7b7022382d048ec86e66e42e38658d5631e890e1487cd6623ece44ca09795c21

SHA512
e0c771951fcf676e3cf56143b22a17fa9b5402ca9d8f176b94e372b275c2ea23e793076242dbdeaf56fa4cd8aa63958b8c3f66d9ee0504a2064c633f5cd4fad0

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟@02[WASD Model](Jax).kmp

Filesize
23KB

MD5
8334cc6e12498113249be9a208c6d3c4

SHA1
3bb4994f4cc9d240c9545e1a33b6ed8e5cee81bf

SHA256
40f0985c85e59bc0c142d8ddbdf86f39dbd0daf084e0457043c4ddcaab14fa48

SHA512
3475e239c98ef55dfbd50051660b31116ea5f008779b562727d0a53420a75d0f06a6c40b602ea6d91b3ef0640f1c8e79506c8b7e83307cc5c9e474af97bee20e

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟@02[WASD Model](Kaisa).kmp

Filesize
23KB

MD5
100574d0a4008a70cf2f6bd159d3c4cb

SHA1
78661c0148e85463eeb2b78163284d09c6213308

SHA256
9f18bfbc99c7b8e0f37047daa1e08884151aa57b3072d5a837a2b0188ee1735a

SHA512
b9aceb5c2e3b261bc918a840e06d022a4b671af28f3bbf3901fafe417b4940606558b10675ae21ae980d778894cdb07a13320a932a83a2c0520550a799cb20fc

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟@02[WASD Model](Wukong).kmp

Filesize
23KB

MD5
c6795ef98df6ed699012201e9a492885

SHA1
f3caed409650b21fd98dc40930676ad8673a67a1

SHA256
2c3b5866e12aef9af9310c8cf81b77f4085c74a78017d59f6f7cbce8a5077c5c

SHA512
c48ee45de4f1219c1290fcde63ffd664cb65a4976048b097143a8627dca511b2ca99a1912f6e7080d4940b9ac0ed8c80ea1ffd00d985fa7eaf2a54598a035f75

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟_w@01[PC Model](Annie).kmp

Filesize
27KB

MD5
64ffff6ea4dc45370ce3eb6b9a749e38

SHA1
aab55ae7eab6ad3257c63cf234634ef6ae5796d1

SHA256
ebfae17c910125fa35cc8cac824ca7bb7aa375192a08f01bafb0383d41e150c0

SHA512
50d8e9f5be2780e7428879adf29eaf1b69b25aa5694a42f0e31b197d3df203a71c84f392acff140a0477af15dc87e893144b539bd829edd1fbbcfaf089d345b4

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Aurelion Sol).kmp

Filesize
23KB

MD5
682affc6815ef14407a0ccaa2a9d10b4

SHA1
2a2cff38810242cc9b11ee117c140166216d6562

SHA256
525e5a747d0929595e768bbe44d06e29a73a90a560062abc3c995b9ea0995993

SHA512
f19ec184893627a25b993c5628339ea3ae4bba8a72f0358d94987763259f176feb543aa552422a66647def71b236e5c6ee58c97ac6978d4a27b5a1f8c5f1c97d

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Draven).kmp

Filesize
23KB

MD5
d61e02e3a98f4b9f5d48583d4ef06183

SHA1
be5cc1136b519d40e49186f9f1388c32f8178239

SHA256
34a9313a9114fee24cfe249b0e67dcd3d40bb6827a70df8254f0e14ef2f6a647

SHA512
d61b8a181cb870f3970b8930473ab8e4610b152c65076ec0c1f11ae3043b967cae618e641e53d1585cbb14ea63a5baf0199cccc8deeafe8861854c8887c685bd

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Fizz).kmp

Filesize
23KB

MD5
59d776b70cdfc45191ac842025098a91

SHA1
7c8ce35fe683b37fc8a147dcde160e37418d9d02

SHA256
e5678f9cdef764f22131b20823bd631bd7c7fa602723de46a4b5204b4c136e9b

SHA512
c16b1b259018fa9c5ce1e62f7bb197040a8a66a9696f7eae71b0fb75e71a0e17f24d491bf40d7d9a4c512631a118314a2605198e660da4940398d19b099bb5ed

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Lulu).kmp

Filesize
23KB

MD5
7a6a61866bfa6fd9cdc96758a2232dfd

SHA1
d45ee66610c64686f2993de53b5e38e9745267ba

SHA256
4527310c9ded77ee983c478783f419b3d41ea850aaefc1470f9b3c74ee16de06

SHA512
09fe866ce2626dede45ffafc18c2daa952544bbb7d5c1afbe4437ff287202c4320ce09d416634a51ceb5bd0998d3047cda0c1e26e5d402b2de42d4d4d753c42c

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Malphite).kmp

Filesize
23KB

MD5
77c6bdcc7f852110d3fe2abb856453e8

SHA1
388d267618745237ed5aa50f686d6308aaa3dd29

SHA256
0f857556c697c2afa9520c9fc652fd4f1ae43580db97f4dd26ba3b6df7e886af

SHA512
c03fdc1e9d636f2e86d83ff0999833c7794f3e49afa7e3cf64a76027f89a747da7a3f05b0d9caa797ab201b85ae972188b3e85d47227f5ff0bd190be471ebc11

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Seraphine).kmp

Filesize
23KB

MD5
f04cd4a8f6845ce984435e7b6a1e5cd0

SHA1
95d57f868a9e4eec02ea3d66e83747138112187d

SHA256
da34ebebb3e51abcd3f94262f0191e4f9222275622473ce62e40cfa1cdd6ba8f

SHA512
48b3ba2e7689245bf4cdb7db931a770e2e274e7873191644f45c8fa32417428e1813ff54beba74ef1396aaa55ee550764e52c5b0de3b78e866ad8f30a3f7a56f

Download Submit
C:\LDPlayer\LDPlayer4.0\vms\recommendConfigs\리니지M.jmp

Filesize
15KB

MD5
c9ad0a8d082c9788811b525b024008d8

SHA1
276a235b58e3a55539c03b4ec3453729fd7470de

SHA256
beb4913f3a52a1279c3fb9105c48484cb565299a04d18cf679412fd436124d24

SHA512
33e9dd124d80c5401ddc37eb563ddf9099a75f845b8ae6ad50cd2a297c5989e9faf10e96e238683d3ea2b24bc728aa223f8561f80129fa6e622a6dc92f527c6f

Download Submit
C:\LDPlayer\ldmutiplayer\libeay32.dll

Filesize
137KB

MD5
8dc4619638df42ed833d0385bb8b5045

SHA1
f4a1453ea508705bdf988e519fb70a1d5e25fd73

SHA256
4abeb98b61bae6fe53cd2f5be076eca6dc4c13a1bfdb8c23f7bb8d7393dfdc13

SHA512
09bb6438b6cee95fa1b07406986d65748f5e366928fe7996535dfb3b1e18fd3f04349067642f66b4e8730774c174e99fa22f4a2b6ce9253edf3f55bfae8915b6

Download Submit
C:\LDPlayer\ldmutiplayer\msvcp120.dll

Filesize
254KB

MD5
dcee501ee4fb12c96866fa80bc4efa27

SHA1
20f3612c58cd54fc7a0693c708d34ee8b24e5e0b

SHA256
7125d569f167bbe9881dc487858f34559aa37791d71ad6a4e212bab2274d5358

SHA512
3c2a5717124b0415026376499b7b2d50cdb58b24c6c57c11ec6ce39d6f8fac11551e74590d684d1f1beedc328b0fd6a19947cae1344fa15a741c07a74dd4f4df

Download Submit
C:\LDPlayer\ldmutiplayer\msvcr120.dll

Filesize
235KB

MD5
ca040467fa277816e148dfdaa2320e6f

SHA1
e7a150dddaf8421d0efbdfcaa39869d7309fbea7

SHA256
cbe46cbee3169f305ba4537563848d8c74c5532747012de41b0ad8142ac53e93

SHA512
89793d410604b14b58476c62f2004373bf206a259dcf24a08d632d6655c577a65f8d035a7e5877ea17e63eaade1b3d8b0b366b75ef0709d2051ded9e790b28a0

Download Submit
C:\Program Files\McAfee\Temp3563107506\analyticsmanager.cab

Filesize
460KB

MD5
caccc4bb47431575cb82f5c96d69d7b6

SHA1
3a995136a913e778cfb5fc89b3fb999298254900

SHA256
11e800ea1fe97ff9e3040f35a1ee6f538cf404450e57329805b64394a258cb5c

SHA512
6f5abc9795c6f12e00737e2e4b23c908c60d6c428f1f7bf59e8b47a28847fca984ceec68b92cc708479c35f31d06296db95bc376ccc46881aae89d968387b446

Download Submit
C:\Program Files\McAfee\Temp3563107506\analyticstelemetry.cab

Filesize
68KB

MD5
f8b43393e78a77d94a89d8bf873de21d

SHA1
27869dc7ad7fe2e422b3480dc37a5a9d439cdd76

SHA256
79fa1e3f81985efa3ab227ee023734f92ee2b2325c42f38ac3c152b7b40f5fa8

SHA512
44c960bd43b7e1adf1232f0d5882999d66952c8cddaab7b38da6019f303d43e01a723e29070570906432dfb580bb6b0511aeaf5d183c47de540d9e48abf26b54

Download Submit
C:\Program Files\McAfee\Temp3563107506\browserhost.cab

Filesize
231KB

MD5
928711ff434263ffaa55b9b863c70212

SHA1
45f68c3d26198e60b37bb12def6779a02f45be68

SHA256
4c98514ed7966793dacca3946515993c5ff318b991105bdf3a71ba2f3e97a171

SHA512
ae74e216d11d673d18c0201d142f98633fc3bb86f0c299db3a752c1d2a34f1e45774040d3785174b69f4310db61448847273bbbee809603af8ee4fe52f2df53d

Download Submit
C:\Program Files\McAfee\Temp3563107506\browserplugin.cab

Filesize
305KB

MD5
6da16a2f462ed27fa8d8b1d3904259f4

SHA1
944a7225d7c23dec7ba896183ae6ae394c4c1a66

SHA256
65b0bd6f9f7e2906512c90b6b4c0c10b1d9710cbf1372e647a055473c21e1b3f

SHA512
3074b87b16b80c93cebd1b9464558b4f983b02259cb4bc0b7ab5902f758a5252a1b12b01d71899257f5d2d93f8859e4b77ae5231d86f3e58e4fb7d5d62e163b7

Download Submit
C:\Program Files\McAfee\Temp3563107506\downloadscan.cab

Filesize
175KB

MD5
d192a7330bae2be325e73095718b4dcb

SHA1
8df33581041a2ea6039f6dab2e010abfd8b58db9

SHA256
059c876c8dd1687bea71e710d36aa474eeb02606a51450defabf4921c2638621

SHA512
d189a78896d4f4f8872b1f104dd36715ae1e2ce630f4c8b98ed0d23d39746f25f4fefcac2689729753a4d6028cd5dd438d1396728deec093be430a5ef5375c5e

Download Submit
C:\Program Files\McAfee\Temp3563107506\eventmanager.cab

Filesize
226KB

MD5
dafce1fd35510ae45f4a066161d65b5b

SHA1
4e007d4eb80a6748e82b3ed742309c3774b46ceb

SHA256
3b5bcdbba78d944d42dfa613c078a5d5ca90a67c03d23e6ca9feefe33c191580

SHA512
abd1861055a47937fedbaae5d9318c475f1eb765eab6d2d192f50bda5ef15baf7c2be56f04bcbccfee4d3ff767dd35c36482d7acce87d7f540ecd2f6cd7b5d8b

Download Submit
C:\Program Files\McAfee\Temp3563107506\installer.exe

Filesize
305KB

MD5
0c4b9c9b1232ad14f5e791eeafc5a669

SHA1
55ffa6bafe7c8e5989db578d35ae46e523681f3d

SHA256
b21162558563f3009e9d6c8576a75247930fd664b416d0b734c3c3d6e0d1496d

SHA512
59d2640155624c698023a04d7f5ba3a8cb1ef3fc3e0c1cf6a08248b2bb4cd53ce5d0b9fec82f64554f9ebcabe28e785b983eed59d0335ade212532b7ef8f662a

Download Submit
C:\Program Files\McAfee\Temp3563107506\installer.exe

Filesize
433KB

MD5
a086d926e9e9aa4da89fc57c91403ebc

SHA1
38cea413d536086512ebad48c39a644988237290

SHA256
34d69d2a739638702e0b107990d0d029dfedb96be73016b827a370cdfefef316

SHA512
ae01e180df40965cecca07c69f16fd5c5377234da83e59c85e7bd048960c4cf1a887c230d29c030c02f1b8e0feaddb55c7443e8648fac336f7e2219b1e75c783

Download Submit
C:\Program Files\McAfee\Temp3563107506\l10n.cab

Filesize
118KB

MD5
0e9438a5b41993ba88cc06b0babdd193

SHA1
30bd1e138f75d0571f67b135bd99d8b3a2a0b75b

SHA256
d2f46281675885063644e16c2439dc2a1cf6821c37414914274dfd1ab308fc1b

SHA512
f7f15bc7dfec2c17f387aefda54fd5299b411c10f99f42ff7088666499e3ba4a7cebf748476e7090044bee588fe2d67347406eba9b41dd44bb236c77ab116ea2

Download Submit
C:\Program Files\McAfee\Temp3563107506\logicmodule.cab

Filesize
172KB

MD5
3aacf146516fd240062b05e67a182bba

SHA1
934cd1c1031ab7fdf384d691b3e790ba8ef0ba00

SHA256
e65283ff7bf2421c9fec5cc38db71f762add9917e1ea2baf267d88a67c7984b1

SHA512
649f10b68f0b095fb3794a3911664ac1a09147a8fd161de1c468a4e486b0a202d9cd16290c2f50d74a8c85e739834405240a4295b0c6ba489b7ebe819090b9ed

Download Submit
C:\Program Files\McAfee\Temp3563107506\logicscripts.cab

Filesize
67KB

MD5
1eb55d4e679a76306cde285de65f260a

SHA1
fbf3178cd20d2cbb7d6c5416029d9902aa34bea8

SHA256
81ccd6a7df5985b4a3358517671caf1df6475395314a4bbcf958a50f9e16d4d3

SHA512
6c0890d9b950519008caa4514b244ca131eaac70b13cd563e9f0569e65111028c8cc451124d2385ac7291226abb90af6cd68a7baf1cb93aa2bf5df2244e62dbb

Download Submit
C:\Program Files\McAfee\Temp3563107506\lookupmanager.cab

Filesize
115KB

MD5
a3497c70b9d7d0f51a017e24224d50ac

SHA1
b678e67d1d11a10c389a63e58b0f6858a8eb7699

SHA256
7db9744a1d7f367d38fb09bc6ca43c3748cd4e2b85b8fada92b4ba4959e89cde

SHA512
a80ea7675cfd2a735c1f22727c2843c4a7a29831437030912db18590d2f1ac8e2a98097cc807447cdbd02992fec629374670c95eb3241740c384201350fb170e

Download Submit
C:\Program Files\McAfee\Temp3563107506\mfw-mwb.cab

Filesize
42KB

MD5
b80856a40c2f95de6580cab2e08fec45

SHA1
5e33945370bb3fd6e4362792392f15fe55990325

SHA256
e8d6c5b91e42339329df875f50812623896cb89208efa2421dad5cee153ad893

SHA512
05b00ae30d6bfc1917171b62988f8e78ccfd79a6b838b30baaaa70d5c41791e6624ee758e34bb6f99323da0767144a711c9aafee25bba5b41ea1670a6d25faa8

Download Submit
C:\Program Files\McAfee\Temp3563107506\mfw-nps.cab

Filesize
44KB

MD5
a0439c8eb0784ca4ca5455e253cdd536

SHA1
97678d84467a1b5fad1f47b7eecae9f0f92afd54

SHA256
fb7047d0767822ab7b4ba6e004e7d5a1d2754e294981bf2421f151a25ad6d45c

SHA512
802ae8433f9c1a71247294f14e93c30ee78813702470ed24eeaf7f9994e1af0f39cae94b673085e1c1abea20142652ddca1e89ed3b5a4c642252c777b6c946d9

Download Submit
C:\Program Files\McAfee\Temp3563107506\mfw-webadvisor.cab

Filesize
109KB

MD5
02e6c77cb48078d18bdd6bdf9aa31e17

SHA1
9c845fb59db01286507baabf5f0a04d2048fe74b

SHA256
207a738d0402bc335c591b5ba08a3e728fedb8b82c3438c871477aa3b15d3bfd

SHA512
00f06634db446f299c525bf32b031293157f826900c91595482312a63d50ddc1ffed730fd357f75b2497cc40d42b2856bce423fdb27479ea522895b71fda2944

Download Submit
C:\Program Files\McAfee\Temp3563107506\mfw.cab

Filesize
126KB

MD5
3600f472059b6006fdf5262dd403b6b4

SHA1
6cd2e40438c658660b09e9f150b59ddf8379c806

SHA256
addd13ae17e650c7d591e9d162a5b09405f53aab2135c42ef487cb24051538d6

SHA512
874c7e7a5fe523b09e532f9b652945855bb10624d285482fc7d241fd73254a036c3eac613b4437db441e2759dece3041d7c2b70c34ed60fe24902909b7e52048

Download Submit
C:\Program Files\McAfee\Temp3563107506\resourcedll.cab

Filesize
65KB

MD5
9951527ce87d2b72085cdc8ec2d91642

SHA1
7a7d8d87824ff17aff763a35ec1574b43ece09d7

SHA256
54a59e420a30658b06ad96d31782e4f505762e594696b8b1b18cd10b7c2b7fcb

SHA512
b34fa32aee5586333438cd1d51e00144459f18159e518ad2e52eeec3b280ebeac2db0c17b858f18d526d22f3ace161f93800360aece105ecc381cf02b9f967db

Download Submit
C:\Program Files\McAfee\Temp3563107506\servicehost.cab

Filesize
186KB

MD5
4555ad9d26ac51096fb2ad6e9df0d577

SHA1
3d9cb29ca761af9220fa89582fc7afe8b9ab02db

SHA256
2211bcfc0a0d20305ea20a806fa35a99a50eb35beda6bc077466d6c36ff924da

SHA512
adb5608bbbce0ef27f048883376b5400a5780af72259e2d5fff8261b39824a9f2e95da3d22d9e32c045e5f9d07163cdf91f7a7b8dd4c874a827d460975d3d711

Download Submit
C:\Program Files\McAfee\Temp3563107506\settingmanager.cab

Filesize
775KB

MD5
23e8b1e16ee8c2174118fe6b5ef1b839

SHA1
c854138aac966e35d508c065da368a9fabf3407d

SHA256
eac97e5a37006e24e5c5f3a2f52186ee3e7792026ac9ceb6429b09ed7f7c2c44

SHA512
19af3725f0b8a4c5333ace7f3086f9f1ef95ceeef51651e3a1df9ea7d1644f9ae4c6d4439edc900b3b0f95561cc491886f2af6f1d07498ccac4a8f8bffb3e878

Download Submit
C:\Program Files\McAfee\Temp3563107506\taskmanager.cab

Filesize
25KB

MD5
6ed205e23c4c45f53be4f3c7c78fee80

SHA1
a62ad23c33263d9a68de4521eb5c8d536a77b16f

SHA256
ec860e73c892680675f019ebf5418591e717978b8d87108746451ee7d1786923

SHA512
cf42b918aac7e95ba34ec1cbad65f0eb614c51494f1a9f11d3b5efd80b661610af5538e0cbfa1dedb4146bda46e194d4eec0649f4a97afe798ca79c6cfdd5287

Download Submit
C:\Program Files\McAfee\Temp3563107506\telemetry.cab

Filesize
94KB

MD5
f92f1cc387fb2295feb27380da7131b5

SHA1
1958189bf93a22be3d0e7fff8e046b3760aa22fd

SHA256
4013da2a269a42577dc954612436ae21f99d28da951131a756e87d535456312c

SHA512
f85963ffcfd39cf94e653c2dfdb4b1448b46ceb10ef46ab1226e86dbc0895817a80f616359458c4dd8f2a7421ef63650ef63b6c3b054423ca2d20a435daeb55c

Download Submit
C:\Program Files\McAfee\Temp3563107506\uihost.cab

Filesize
315KB

MD5
c4e84a212e899943a47ee30b946bd429

SHA1
4bcd4cb972b161761ad196d75e7951f052be65c5

SHA256
aa040cb9f6a2584afd1de5b8e7eda095acb7bfab8ac99c8d23f4dde036dd87e7

SHA512
c7a3e387dec42caa4a47fda6bd3fdb54bbf3f4feb5dc22eb7f3f12a26fff0c3e09c5cea2d480cfcf75ecaa1721e5a66041c52ef691f78973b67d03eb89682b3c

Download Submit
C:\Program Files\McAfee\Temp3563107506\uimanager.cab

Filesize
57KB

MD5
9ec50e111b65464b3bfc38095a93b8d0

SHA1
8bec74f736ebe2544e918d0da95470547f97af2d

SHA256
4f31c34b3e36e7740f3f5cfda5ba6d4de2a521a7f816489a753c32f8df79bc6c

SHA512
1696f38f6fd663780b8e129cd2f22e734e263eaba72815133bb4f1228b66e4fae4d2e42f9bd1a1ef0e7ddfe99ce4d61253cc6471db42d75d1ccc223a9b045c74

Download Submit
C:\Program Files\McAfee\Temp3563107506\uninstaller.cab

Filesize
12KB

MD5
c7545517e3cc5d92d43301928599a916

SHA1
010440c0b7a8f34eda25a337310a62e88fffaad6

SHA256
ae83ae2cb74771290a32b313ca911d0ecc1a19c9ed5748654d282d2a82cc5da7

SHA512
df5ae4607a24a3f98bfc52c4dd65ecf1c02a01bed7d72f3fb72f7abdc235a0136642aa413642bc861ccfc64e4ca4cdbe9a1a407ff16223d14ca9cc60460d784c

Download Submit
C:\Program Files\McAfee\Temp3563107506\updater.cab

Filesize
49KB

MD5
f3b7c2a0519668da626f41f6c7b2c883

SHA1
784e3b465ace6fcf58d49080a4754c2947d535c5

SHA256
c0f8e7fe7ba492bb0640bc5b6219d2d52622aee3d44dee1f2cea62f98d1c92e3

SHA512
d1fcd8df425255cc1fedcbec6c79e57bedf70d08ba36389ff855396a5cce8895bf37cdd751221dde87b81d105228604426ba05fe822cb5fb69af26cbee5b88bf

Download Submit
C:\Program Files\McAfee\Temp3563107506\wataskmanager.cab

Filesize
48KB

MD5
985e35743cfa837b0292b861d98ccd11

SHA1
b500060985244d2f2a1cafa2992015b31f03f055

SHA256
45e899d50d2b42f96b174396fd3efff87215addda8ffe89f8c8693143f83850c

SHA512
de9b9409e935aae2e61c86779daeaea5a2b6b8edc9e851faf9486a4e23480f9a3a360a88d07c57fbd2db7f616cf09e74545b3bc235fdaa1647b8f5d6646e96b1

Download Submit
C:\Program Files\McAfee\Temp3563107506\webadvisor.cab

Filesize
33KB

MD5
e1774f73051bbf26ac689d8394d627ca

SHA1
eaea68e1096b49766413cfa1a3556e21b1448ee1

SHA256
608801b2cc08d0a24711cd8aaf78e722b8b3dab6100b2848672c59da1f63884e

SHA512
38386e857136e0071190f88921b615e0739d7ac1b256947707b12b674c093ae2bf76f99be1d5b284edbd1def2451015bad71e03e7ad7d9b75aef9328912ddc9d

Download Submit
C:\Program Files\McAfee\Temp3563107506\wssdep.cab

Filesize
602KB

MD5
7730b8e56cc68a9c7846ee603d1dd4a3

SHA1
f196b495506e571920b54df4d1ae57e3da1b30ae

SHA256
fb53b769d96949f315d0024acc480edc6a6370cb94d4ba9ae02c74fb91e2c687

SHA512
93db4626309c75913024fdd40e05181b26ce07240ea4e5a2f1d941e95cc826d1963ede3976a4daf507a97386cc5d2eb93c8b7b3320470da1074850b812d9a1c4

Download Submit
C:\Program Files\McAfee\WebAdvisor\AnalyticsManager.dll

Filesize
1KB

MD5
33dbb520fb41d905a2c9702f57c0950d

SHA1
05654e73d5b2b196f40dc2af266e502121f28cf8

SHA256
86993addeb6c729a3758e868e32ec044f628c7f0406d3a060c09f4d63d545a66

SHA512
f5f9d1a314937bc334f96ce23f22f280bb90910e627031590e2b15c60c3af169bb82135cb7b70f5cbdfe0ff87026b7de2f45e11779ddf98ac9737c7590434f9b

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
72KB

MD5
4004afd0aafbd26d3acca49b7fc11eeb

SHA1
3dbbc519b0319e94daff139d578ae15635f76631

SHA256
d598c7bd7527aeb295afa6dc35a027cb091cd1912495c8b4c1c1d4de16cd04a5

SHA512
192f24a6844d8e9042d15d67822596016e206fbeb1c4eaf6797e3e0bef71082bd503661c92e6154532c3a0987954fb42d76113b7d5243d7622f9bc27c9eb0bc5

Download Submit
C:\Program Files\McAfee\WebAdvisor\EventManager.dll

Filesize
133KB

MD5
98087bb13801f88bac35e59d0fce864a

SHA1
fab7e65d5e02ccc9527ec169476a25e492cc71a7

SHA256
6f791dde956f4aa2f908e569e63ce1853c2fe7361acfc260c4c2d0f2c69be651

SHA512
92d7a35debd2beab8b978cb1ac590ceca9cdc96738484f340d5afa7e86b81eb30681f1bed5f7d9bb97740bd3abccccaad5c76a8f18c5a0ee3cac8d60c902e007

Download Submit
C:\Program Files\McAfee\WebAdvisor\LookupManager.dll

Filesize
101KB

MD5
dff04bee3fa9ab40f746fab1b58f8347

SHA1
cb9a6a608d78cc5ea04fb1ad29ec45f9b0a92654

SHA256
08c328dbff572dea51d12f463f835909386ca17a62d0d31ca148531a81fad072

SHA512
4da26080057128341c5d0e65d31d72d0ca5472d76b1ca89318edb773062896927c23458a9a1d6ab0193f58af757cb323a617d1a6772b5211ec4160064ede6b43

Download Submit
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

Filesize
239KB

MD5
4cc58c7723850fb4f0bfc38796457cc2

SHA1
3993bd5b425e38979e9c67c509763c953be6294f

SHA256
82c5c549f83fc994b72db895fe74cf6092c9a7c2362a7f30ac99ad6d89e48cf3

SHA512
f66a1408619288d87cc48b26f9d76df1d05fcb031d0c5e58e463ac3c49fdbb1ead19623687325b9ae9c3732bcafbc07ec1b9368e60aa414d6a42e9a46bff3d4b

Download Submit
C:\Program Files\McAfee\WebAdvisor\SettingManager.dll

Filesize
13KB

MD5
5bb918b490415e49d7b2a52aaa48e986

SHA1
306f7f5b370e24de5fed198c51b99591f15bd4c7

SHA256
ec4687ad84315188ad3cdfec16afe121c0def6fa3313c60d84f579f762c00e8d

SHA512
8687d3c21c5b8cb71e5a1d9d046349188737db99f1059245fb3d8691248edb065f477dbcdafb3b661261380b1ea9dc82e55934b5618b7a72e6b8ba5810f2b67d

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticsmanager.dll

Filesize
265KB

MD5
f28b0d6d1fd1f43dabeb38c7fe306d5a

SHA1
0df4f5cb0089df89f8b486e8fd719c275b2accda

SHA256
a8becafb73507e58fb5a7320b05079213191f828e88d2757de73d52fd98872d8

SHA512
2e824d43c5d06347013093e7ebff12251e4c286396e8738808cca0b5d5053c7a91bf861d306a7a836585f132f0d897d90c87ba1655490303e0ee04bfee8bc3ee

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\AnalyticsEventsConfig.luc

Filesize
6KB

MD5
c395733a5f84a1a44fbdc6215c024617

SHA1
b1a6577f6736872e671dc79aa004a4d12fce115e

SHA256
6d9e576bd4f77d902b6adf283d0687f290751ffa42dc1411d01f1f861a3f4211

SHA512
209cbc08b4fc2fac8caf80b8b288fc194858d0cff0966662db3ebf62999f35047db4aaab046ce2d83756dc33a69a9f0031ecfaf59161457c06cb81b4c5fb6f19

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\AnalyticsTelemetryHandler.luc

Filesize
2KB

MD5
39c8fbcb505b8922e6fc9aa8ef3205f7

SHA1
c0d6b471c83469f21f39f80bdc6688a75303dc29

SHA256
4f291f3ceda9aedb66c900e70516431db0b1f57383383402f738d46abdfeeb74

SHA512
3b78c581220c298dbda40dc96fec2dd9d3a5c7b99132afe416a8820b4582d7cfe76cad29dd54431fd73bc1d5a564843ff87c6e2456154ba26224a7a669f84259

Download Submit
C:\Program Files\McAfee\WebAdvisor\eventmanager.dll

Filesize
57KB

MD5
60d253c4cd2bc88d803cac8c735d00df

SHA1
cae75f178ad45e3e191885cff833f914de64b16c

SHA256
e0c7f66dc89afddad3ad93f6111c6d67970df2551d754f9581a2353f957189c0

SHA512
83ce1bc9fc70bc515a6e7c87d7a29b1728fa55a4bb7c170cc186e9530da96d0afc2ee0a7f4b89fc28e7d651cf2aec2ab5e349351e94c114ce0bd3d19c881d132

Download Submit
C:\Program Files\McAfee\WebAdvisor\lookupmanager.dll

Filesize
214KB

MD5
fef243fc4a5e18a7fb1c0132e62d70cc

SHA1
9441cd0c24dd36e0828001ba51a83289767b8958

SHA256
f715b64df27f6c4266320654d2464a0ff1499efbffcfde804903aa5f1443d941

SHA512
dd385956ccd2c6e8bed02071fea325e12c968d9fc9e6f1c54ebd1a66a0c889e756f17c96d38e8db1d344c72486a942728ceeb8eee016f1ed4500eb0f979ab0cf

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\class.luc

Filesize
656B

MD5
f3ffb662fbf51302dd14b63606b30dbb

SHA1
ed4a43bf87207674bd762da8e016d6972bb2a9d9

SHA256
22543ae97e22f18343b17e7ae0b28cff359496a5e3bf701630de9a51d797317c

SHA512
eef3b54dec4b42af7e6b29ccfaab6851971c95962de28f4b4140f1a0ef3b3057ec413c8f2194d035a43d8c9faa1a78a44604da89843b4aa3ced69f77b89e20e0

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\dkjson.luc

Filesize
9KB

MD5
db91e143f6f9ec9809bd02ba6d8983b9

SHA1
ef0b2a539b55071aa5a2c339b42e950cd77dd3cf

SHA256
0e32afec0d3370c491eeced1f28ff00711804e4827e2bf97a2e5f5cf071ee333

SHA512
62379239a0fd86d538690b53266efaf1d3d5ddaa091dc793ba258e5297534e8cf91bb582171a42709e92844abd241cef573eb1ac76b9f2bd5d2d121f385762f8

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\logger.luc

Filesize
672B

MD5
834796a066bb60db882ed9d2968887b8

SHA1
bc5f7870171d526da420b6979021d69ee275b4cb

SHA256
f01039acf8adc6025b94f6d38ac7992aae90caf7c4894439b7b0124fb7bfa4d7

SHA512
b922e9264d7341668302761ce54703ffcb53fccaa9edff92cffd7d5076ab43f203f4f3d31b2e807ea915d42a61c8948fea4e49649443efff6d0c71670bcccec8

Download Submit
C:\Program Files\McAfee\WebAdvisor\servicehost.exe

Filesize
184KB

MD5
00a12b2a46a9adc9e19091c2c100b48c

SHA1
52ed1cd844d3336952381a208901378d9b3aeecf

SHA256
2f4d1f2905ab81c6045bf90bb3e24d816aa34c6161b9a37ff28c630d86f28bf9

SHA512
f7381b633e1a0dc7f3bf6cc0f27db0fb08afc57d1c4df4e7be14088e91faf588957231dcc1ddcbb5b8cbc3b45618d541522838da02e59dff0acc599519df2125

Download Submit
C:\Program Files\McAfee\WebAdvisor\settingmanager.dll

Filesize
7KB

MD5
3ba805b2799d93ac578ae8c9531a34ca

SHA1
19de9d85e86dac920482b947c1ef89384a2ee587

SHA256
57cb69c31024e5846b818f2192ee7338be637bb695573cb5921a5bb9e573dd1c

SHA512
f51079af3a5b986a8e687d89e58e1b02af4ee4209136c81bdd4ee2dcda2a6d18faa47a6f4186ebc64c08a3a64ecc9e702656e174db76df5da2d6f77c2f36227e

Download Submit
C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\DimensionConfig.luc

Filesize
23KB

MD5
10aaeef535f62df1cc8c23494d5d6637

SHA1
623888da621e17a1143067584063fa54a7f6735d

SHA256
8d482d1d989ef0bdb7f9c4fed9c8cbfa7f8c25a68056801c9af5004478623793

SHA512
7a4bd14ec5ad158eb47197f3ad95ffa1950b102ddbf721971c11cbe47760231fca4248578c76b3444a248dc23fcf9142d2d6f1b3a27f53a2aca9121206f201a8

Download Submit
C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\DimensionProcessor.luc

Filesize
1KB

MD5
dd75c7832a3bf471e4d789d8fc273a04

SHA1
11829c43f3cd08ac0365814dc381056129b19aa0

SHA256
73c86ce34a57a2feb0bd1b678a0c3b92189acbf18cba82ca33e7f423e59a5a45

SHA512
537e4491043067db7b85ec60583aef911187f1a1bb8ac6ae6b5c8ef054abb1ba640f3ea4e5b447de441e9b2335cc8852b009f056125e57380e57b8ab70590d9e

Download Submit
C:\Program Files\McAfee\WebAdvisor\telemetry\events\TelemetryConfig.luc

Filesize
25KB

MD5
c03af33292b51d7715593deacc287b35

SHA1
b57f8cd732b22f8dd5278601b223f078c091273c

SHA256
26ca7d1a7b1ca76c09209aff6731c7c47ad60449dbeb985539c6b64940084557

SHA512
53f618568b150c34bf1c9afa71efc5094fdd2188cd2cb40eeed64056ba039c238370fad6d564e92904b8ad90d78c8a3397639f624dc14b38757188c757c01bcd

Download Submit
C:\Program Files\McAfee\WebAdvisor\telemetry\events\TelemetryHandler.luc

Filesize
2KB

MD5
eec5f9f0abc16a6bb0cb5745ea0489b5

SHA1
60759ac5e38787e10c2afb7a33ff85677ef7ce75

SHA256
e14b6d17c3f7b834c44dab1f6c04d666fffa3cfb78028c8a957cd9db913b9a01

SHA512
313cc8a08cc25817bee41d6ebd0a78b9e5089b80980118a64312a6be407a1823b592e713521bfdf73f247b8833181a54fd874b0bad26af969063b3085691d692

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll

Filesize
29KB

MD5
6b4da82cbaf8caf06c1e15336def64bf

SHA1
8acfbe3ac2ca9b562a19f2e20c69e1bee713a5bb

SHA256
eefd94d3278443811fbe430186cd7cc502cbecbf4e50be3abd78fc02a52393f7

SHA512
742f71f62d881c53aa8f8b1a1761d638fa06d763a25f8ec8b88202722caac693c958829d99e55879c0a4cf2c7eb94bb4354e1c3677ff9849077e59827583ee1b

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll

Filesize
11KB

MD5
1e516eee821c173ea480ff1446e0f9dd

SHA1
5d958f30e5090fcb567b93c8dc246241685defca

SHA256
0c903ca1b4616cb8b07cd17b5334bf94b18fa8005b24c2b6df33c4626ea41c64

SHA512
18439fa6dff23b657bbbd5c85f36f55b470f7b12f4e0d5b4d1caa0be3ede9c0ad63da507b1e37514fa064fe5eb53f14c811996fe18552f32b2fb971007977471

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\downloadscan.dll

Filesize
50KB

MD5
1d9b647f8203361146bb97de7f23f2c9

SHA1
b9f5c1daaa074d0efbf00916a9b9471507abe3a6

SHA256
b88be9d64609f21bcddff26a97188a9d037f8e072e6eeb4e0abfb8c0ae15029f

SHA512
3ac4c31716de7afca29505101a0086821fc202db3e2be53d7691863cc67cfb3c17e1dee5c2ead696a7b9ea289028b92800e189c8dbb7bc5c6522b589f05f30ef

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\wssdep.dll

Filesize
182KB

MD5
28b227481664d0c0f36bb0fa6f4cae8d

SHA1
3ec637e0e14af941d171714de5676caeef8da213

SHA256
f57113503166aeea8f48742e3093db09d51597d9fc33dd0843cbe15735b6d8e7

SHA512
2a21d4e5d5cd8721beeec7bb28359ac1d7d038fd91e93c3ceb3d67fb05858226f99a74b035c98e26c79630ee4599f0e86a74b351e9ab3a67c9828f1d5799e7b4

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll

Filesize
28KB

MD5
3ef49184d1eec50680cc5a59ee174311

SHA1
76a2a48b07bb095cc774e06be6647273cfc3b380

SHA256
e20fee8fcf1d0e450c224f47e797a148535cd786d683ac6ca68b7988f740e5ff

SHA512
016add19a10db20e716ee32c654718d33e8e808dd11934cb9fb5c31ab72a04c7a95437209fc51a9d15ec14abe670347f9b99b5e6c1375151eccc019d50c17dea

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll

Filesize
118KB

MD5
e6fd114eca06fda600cdf96977401b0e

SHA1
4698b5f510f61b8d84f91da3e5ce10b5c902644a

SHA256
4e291c7f5304c052d098024d3df53b987ed62717d62eac78f7c9401f322cad48

SHA512
bbf5b8b3e1200c177351bbb012ee6d5201fe1a0dd93c7a464023802e040bd33b3ce3a8f56ce004eb935d7b6d0e9fb1ed782fb27b101d2dc0f45e738952fcc191

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\downloadscan.dll

Filesize
227KB

MD5
7c9533339961615380260ce191c42e07

SHA1
7d6882a2fdc2337fc36720542a09f5bac81a3b19

SHA256
efd8a1889297c2f4fcfb219ee7215c30e19191aa46911d39c39c77631ffcfd2e

SHA512
2a1cf7cd6ecdaf99c88f03d765d097036c5f7a3c1634c90fd550f2972420b27e234f3a1966d65f047ab93d7422f6b2ef471746ddcbc51cdf9c6c2ff065714424

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll

Filesize
136KB

MD5
d5c86ef1e14abccff8f8da4929efe1a4

SHA1
da4b5831ecbe5d473ef782c0a61a74b3243b630b

SHA256
74b17053f09df6acf0caf9277a4aa3a7673b28309824d9bfe0afdf2a146af736

SHA512
4e29272403bb3d1f70ecbe0f364cc9190b199cff55f08e9c76525930072bdb8491bd44edeb9c6ad5f767f63510aae5ec6c1a4a2fb7a0fcf8162291fc96d517ec

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll

Filesize
57KB

MD5
13e4d8292dc042a8f5b6612205f29b73

SHA1
819199527ea400cfb3c96249c19b17f3e78dcc78

SHA256
86ba11f7582ba1b199be0100f982553935cf603803f7a62293a71179defb1932

SHA512
5ad82f6e7fc9f4f702b50bd25df92c6ceafe99d07d6a2ca55ecec5cc36ae2a3dff4f7e35d88b0bccccc5141bdf4f3dfa1f1c69a522e531d1c563102e816ecc5c

Download Submit
C:\Program Files\ldplayerbox\msvcp140.dll

Filesize
233KB

MD5
9dd1704002099bbf59fa642c9f7fdfab

SHA1
36c7beaf2ea3509aa45b1b95ea045e7acf6a2bf1

SHA256
9cea284317d1a9b05ca4ba18b226a6bd653c9564316f2d7753da880bfcb5ba16

SHA512
ed5f6c85f11ece3d68c602b3faef3840aa0f979342f3278b883128db89d90d3d96f0f3965e2c08111db749924573d3884b785ed74269c218c9d3b0096978762d

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

Filesize
2KB

MD5
df6b9f419de47641d19a11a39b6bbb1a

SHA1
7f2170ed1bab07e862d316d76965ab1fc0626d3b

SHA256
1e3144b53e98e1efc3f4fdc0a0a139830ed5a631678c15ddded7d4172ad88830

SHA512
130baebca302c970cbb1f58449cc8f6d37eac04d6511d5a48027eb4a42279a30355b3fdc954677a48f7e6fb4ff74ea8dd9d9d137b0e97409d1cd6a9d8e94e82c

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

Filesize
4KB

MD5
0843925070d4288e0fc5ed507e4cb8a4

SHA1
068c664973e31bcb82f1faff5a9f39d7459d0a07

SHA256
09a0b4675a868d4aa44754683b3e24a1bcddb53f08609f16cb19816f41c025d3

SHA512
ad799aab92bfb7e86ab85bb5a286939f97d6d052385ac67262494840ffd3bcfd34f0acecf61f39ac8073864c4313eed686318541e23b85e97810f53e64ed5f7a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
4d6c0912f662024d841bd1f3be13b135

SHA1
db077eba63839e69f753867c029a76e81fafebe7

SHA256
c3d0f0749da07a60cf81b77a8e87e306b41c55b1c38d14afd6d9fe42957f1a2a

SHA512
44927913fcfbab4bd229f7d8a066e8754f5375badbe085f2fc1c77c9905efeca2a1bc68f8f611d996e63948ce29c299ec152f47156b1955719bec3396d97d49a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
d83c8f0d31fb7bb0e53c71495a3632a2

SHA1
c0e48ae7b23c8fb62f0a9ade009915671046e101

SHA256
866cc9de784f456597ae686cf08b888200f7ce28b94dfa18b81e8c00096928a8

SHA512
9d790c8dd4d66a27b00565be182a88d72a62c362eb743f91430ee8d5ec9067e77cbfbd2b1713acf320e49f828e563bad7fa8a1fa57ddf45157d033aac72d7c1e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
bf31d82c573662c24148bd56b6411c44

SHA1
634a1bc611ec6da71d61ff5a0f917b8a7c43e384

SHA256
ed789ca9d56f0b09e9dfefd25e0a9270ba36ff8c93589c7c93f48d22c1e8968c

SHA512
0ffea3e1e881eae1aef2f15ed7d6d5b877eb8536e1aa7c441bccc5c0421c6eb1d9a75cd92c20e8b5820a3e1114504e2c6da52c35d88ae6f96002e9e4648d306a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
71fa97e20f80bac7db87498355a2d519

SHA1
e6ea09c4aa29f1a2a703eb7883da2d8410f80957

SHA256
21fb6c59c9d85db81dabd087d57a9e6ded35e7f16d5df0fdd84aa9ed3b23cf22

SHA512
10a53e9df7c9a4969c526c4251cc44ecec63a8725c4feb9160899cffec5f37b026742fd6c8fadefac4e2b7efc734f925eae7277e59073cae557f6ca7a936e50a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
37bdf0aa78e71ad7a2c48b1e0d08cc13

SHA1
f786321e89b4f687a94e92de67dca90a2f6f9b09

SHA256
ef6b5c424b56a27dd026cd7d6682f71d3dff62a603626055782e265886c7a59e

SHA512
fc3bc9e08d1193c485d22fc6a0e2b6994cd34882401cbb58537b8f9a63e32881f4f0204258351af47e780e19fab5a4fd93c62abef7f054134008222d1a98ce26

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
d9fd531758ac283707ff749939021fd1

SHA1
69bd2ef72abfe2b66db07a155491b5d9e53de73a

SHA256
04d0769cde50e85eec16158de6ae3463fec77d2d41daf4df8ce0af47c8f203b3

SHA512
978ad44276d46208016c8b03079b4c3aafa44af82229e204b9c3f5f4c53e1420f35665a23106651f800fd084c7c1cfb626ce29f34c069cb2fd2890980bb59214

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
8bf83e12420b9cd57511caebf8e75cfb

SHA1
c83e101c387e696a69ed7519b4888a8f3d2b74fc

SHA256
ba556f7c896d3f857fb36c6fe7ca8ce5abf8408da04eeaa9e720b6d93eb390f6

SHA512
d95e11f068427f5ca07a35854f429663c7fd48620a23f85bfaab73cdc6276612bbbc06f09059bbfbe1589e4b2587d595460f199184134ee7267c844c463e7234

Download Submit
C:\Users\Admin\AppData\Local\Temp\447199CE-99BF-4606-9030-397901823A80\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

Filesize
620KB

MD5
0747690942a6ba1f451a537cc2903314

SHA1
a3f4ce749a113ae604e2516ab9de12e94128258e

SHA256
25e47d9f2296fbe1f3476ae0007d67f4b144309dba3f918ef1bdbc3f0c92106c

SHA512
c2db0e49e4deaf5a39e9f7926d1daec5c8aacad4b25337331a4da0dd6efba61e91a7c1c4d55e7ee3d7dcd32fb8eea94050b9c001b88856850b5d014ba25e1d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

Filesize
241KB

MD5
43b5049a4baf11f8f1d2c3c9d494a375

SHA1
207fc0e54c3352160dcc68badc6eae4977233bf6

SHA256
355782cf1f507ceaa11dc1b7a14f007b200fad3772940cb46cce0314c1633d3f

SHA512
850072c18a44b83e369a1f4e7f994d47cc07c77b5ca7baab7b1e5b8eba81eb277ba169218c92563cb65e222d4c34f7daaaa84b97a27234784fdc93281e8d33f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

Filesize
740KB

MD5
b99df936fbb355166ad59f228c34ca5e

SHA1
3679baec2308f56e17304141f63819d61e2201d1

SHA256
6539b251c816ded55e6bcdcbd78f2da1feda02aafe83fa71a6dd8826fecaec79

SHA512
870eb177c9a86fe821209857c13795c7f0ac8415fe67b7c5112ce92624c2caa9d367262d75ddd8922fd9e1b90a685bb8ff239fdd271887a5a5c1044ba0f9b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

Filesize
757KB

MD5
b1c5e2d3e78b72ba0d21878e68fdfbe5

SHA1
b2072ea03dd6346531e412d35e73ba1b7fbd127a

SHA256
8f9098213b6d9e3499c7d60e33960dc0a12e3165e3c40c7664cbf2d165abc593

SHA512
d455b6678607d9b7ebff6164cef4efdbb4122562348ac0b2cb4962a6c9de183414908a334e546cfda70b9988dcc0a4184624b51d1103838d332ce3a7bcc6cca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
67KB

MD5
7d5d3e2fcfa5ff53f5ae075ed4327b18

SHA1
3905104d8f7ba88b3b34f4997f3948b3183953f6

SHA256
e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4

SHA512
e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
47KB

MD5
5f24b2062dae7d02355089a85ba5a20d

SHA1
c9519c6b418e8ebe82e02b82a7cc45d79278164a

SHA256
45ee09ca0d5b46dd614b14331c68b75bc1487dd367322f75463bbe9ab6a0f848

SHA512
4b07fae34a4f4dc9f88de18ed053b4200611d3d5edc772ee8383ebe5e2d624d97be22c0f270fe1f63c86e54dccd57e79b18aa7fd913bd42b241d6bcf96fe0c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
35KB

MD5
ecef362883c721c1b75acebb5df1747f

SHA1
515be09b95bb747ac7af2d4364eccdce853f6cf3

SHA256
ca07a1ae9fd57b55521ba73c82e487c5883948155b4248776e60387dd126b38c

SHA512
e8a18ac9e725521ec2d1491bd91cae0f5774049502c88131e0e1f00a6cf80a0545f4221e9515451154dec6b28b0912ae7398aa41743fdf1f53a00415b62e5b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
13KB

MD5
2c530a6dbc99016056d3b34229ac4265

SHA1
59e69ec72d1fa4b444a9d75c6646aa4444219924

SHA256
f2a74810fe203467dedbba18219ed442823d989373ff9cfeac38f06209cf1f1d

SHA512
558625d5f0ca9fe649fb5a0dd3ad46eb16470350662ca0aeba156c6d8894257fdf0d38ec3a43b105e4c4460d103f45d00be34711fe85d7cce398a79299e138a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2g2hwln4.vt3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi\ldopengl32x.dll

Filesize
73KB

MD5
3a20932eac11a1cd18a661cc3f9b8489

SHA1
a4ed463713f73d1cbbdb4f99946b9a2f9c4b491e

SHA256
74e557b2cdf246ad6f38413969c934bb950c950761d75bb2c2fa59dd0bc45df1

SHA512
e5e7dbc27ec43c4ff4c9b1f7d1455b92502ce038ef4dcd6363cc313348e5bc16791c834e66be385bb2af8282057e393c25a48b39677afb31a72d0de2004ffc1c

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
247KB

MD5
d1ea3330f930f745772fbba6bc916644

SHA1
7a1600f03155b5b98ceefe4d8b7e309549f776ef

SHA256
8e1ee84da7c1f9e4b42a7cf7a22a7e2a6ae0107149641f38f5d0f147ccdd33fb

SHA512
71ee118d1a3b3b77cbecbd42356718a573c784245bbe5f54702eaa6d84636c4165a4f6d80c46afdad2d4cf43122f0a06554faf5b1f8391689f1615842f199713

Download Submit
memory/2508-36-0x000000000B590000-0x000000000B5AA000-memory.dmp

Filesize
104KB

Download
memory/2508-23-0x0000000009920000-0x0000000009986000-memory.dmp

Filesize
408KB

Download
memory/2508-37-0x0000000004370000-0x0000000004380000-memory.dmp

Filesize
64KB

Download
memory/2508-38-0x0000000004370000-0x0000000004380000-memory.dmp

Filesize
64KB

Download
memory/2508-35-0x000000000B550000-0x000000000B56E000-memory.dmp

Filesize
120KB

Download
memory/2508-34-0x000000000B5C0000-0x000000000B626000-memory.dmp

Filesize
408KB

Download
memory/2508-33-0x000000000B510000-0x000000000B542000-memory.dmp

Filesize
200KB

Download
memory/2508-48-0x0000000004370000-0x0000000004380000-memory.dmp

Filesize
64KB

Download
memory/2508-31-0x000000000B440000-0x000000000B452000-memory.dmp

Filesize
72KB

Download
memory/2508-30-0x000000000B2E0000-0x000000000B2FA000-memory.dmp

Filesize
104KB

Download
memory/2508-29-0x000000000B380000-0x000000000B432000-memory.dmp

Filesize
712KB

Download
memory/2508-28-0x0000000009DB0000-0x0000000009E00000-memory.dmp

Filesize
320KB

Download
memory/2508-49-0x0000000004370000-0x0000000004380000-memory.dmp

Filesize
64KB

Download
memory/2508-27-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/2508-26-0x0000000072D80000-0x0000000073530000-memory.dmp

Filesize
7.7MB

Download
memory/2508-25-0x0000000004370000-0x0000000004380000-memory.dmp

Filesize
64KB

Download
memory/2508-24-0x0000000009EC0000-0x000000000A3EC000-memory.dmp

Filesize
5.2MB

Download
memory/2508-32-0x000000000B4B0000-0x000000000B4D0000-memory.dmp

Filesize
128KB

Download
memory/2508-22-0x0000000009880000-0x000000000991C000-memory.dmp

Filesize
624KB

Download
memory/2508-21-0x0000000008520000-0x0000000008564000-memory.dmp

Filesize
272KB

Download
memory/2508-12-0x0000000004370000-0x0000000004380000-memory.dmp

Filesize
64KB

Download
memory/2508-8299-0x0000000072D80000-0x0000000073530000-memory.dmp

Filesize
7.7MB

Download
memory/2508-16-0x0000000006110000-0x0000000006124000-memory.dmp

Filesize
80KB

Download
memory/2508-17-0x0000000073630000-0x0000000073644000-memory.dmp

Filesize
80KB

Download
memory/2508-20-0x0000000008380000-0x0000000008412000-memory.dmp

Filesize
584KB

Download
memory/2508-19-0x0000000008870000-0x0000000008E14000-memory.dmp

Filesize
5.6MB

Download
memory/2508-18-0x0000000072D80000-0x0000000073530000-memory.dmp

Filesize
7.7MB

Download
memory/3444-9321-0x0000000075F30000-0x0000000076020000-memory.dmp

Filesize
960KB

Download
memory/3444-8287-0x000000006E2E0000-0x000000006E531000-memory.dmp

Filesize
2.3MB

Download
memory/3444-11627-0x0000000075F30000-0x0000000076020000-memory.dmp

Filesize
960KB

Download
memory/3444-11793-0x0000000075F30000-0x0000000076020000-memory.dmp

Filesize
960KB

Download
memory/3444-8288-0x000000006EAE0000-0x000000006EB04000-memory.dmp

Filesize
144KB

Download
memory/3444-11794-0x000000006E2E0000-0x000000006E531000-memory.dmp

Filesize
2.3MB

Download
memory/3444-11795-0x000000006EAE0000-0x000000006EB04000-memory.dmp

Filesize
144KB

Download
memory/3796-346-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-644-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-255-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-296-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-264-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-313-0x00007FF71E620000-0x00007FF71E630000-memory.dmp

Filesize
64KB

Download
memory/3796-326-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-411-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-419-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-447-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-218-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-252-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-254-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-291-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-453-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-427-0x00007FF71E620000-0x00007FF71E630000-memory.dmp

Filesize
64KB

Download
memory/3796-420-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-507-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-566-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-581-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-611-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-626-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-652-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-684-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-649-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-253-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-640-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-628-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-618-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-595-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-570-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-455-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-465-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-702-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-475-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-481-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-1158-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1159-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-1169-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-1166-0x00007FF71E620000-0x00007FF71E630000-memory.dmp

Filesize
64KB

Download
memory/3796-1170-0x00007FF71E620000-0x00007FF71E630000-memory.dmp

Filesize
64KB

Download
memory/3796-1174-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-1175-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-1184-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-1192-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-1188-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1187-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1185-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-1181-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-1176-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-1171-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-1164-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-1162-0x00007FF76B0F0000-0x00007FF76B100000-memory.dmp

Filesize
64KB

Download
memory/3796-1161-0x00007FF782BF0000-0x00007FF782C00000-memory.dmp

Filesize
64KB

Download
memory/3796-1157-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-1156-0x00007FF7817B0000-0x00007FF7817C0000-memory.dmp

Filesize
64KB

Download
memory/3796-501-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-550-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-557-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-563-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-587-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-687-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/3796-698-0x00007FF736E30000-0x00007FF736E40000-memory.dmp

Filesize
64KB

Download
memory/3796-737-0x00007FF7789C0000-0x00007FF7789D0000-memory.dmp

Filesize
64KB

Download
memory/5304-3157-0x0000000072D80000-0x0000000073530000-memory.dmp

Filesize
7.7MB

Download
memory/5304-3079-0x0000000007250000-0x000000000725E000-memory.dmp

Filesize
56KB

Download
memory/5304-3080-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/5304-3076-0x0000000007200000-0x0000000007211000-memory.dmp

Filesize
68KB

Download
memory/5304-3075-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/5304-3074-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/5304-3073-0x0000000007640000-0x0000000007CBA000-memory.dmp

Filesize
6.5MB

Download
memory/5304-3007-0x000000006DE00000-0x000000006DE4C000-memory.dmp

Filesize
304KB

Download
memory/5304-3018-0x0000000006EF0000-0x0000000006F93000-memory.dmp

Filesize
652KB

Download
memory/5304-3017-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/5304-3006-0x00000000062C0000-0x00000000062F2000-memory.dmp

Filesize
200KB

Download
memory/5304-2977-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/5304-2919-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/5304-2918-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/5304-2917-0x00000000056F0000-0x0000000005A44000-memory.dmp

Filesize
3.3MB

Download
memory/5304-2902-0x00000000023B0000-0x00000000023E6000-memory.dmp

Filesize
216KB

Download
memory/5304-2903-0x0000000072D80000-0x0000000073530000-memory.dmp

Filesize
7.7MB

Download
memory/5304-2907-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/5304-2904-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/5304-2906-0x0000000004EE0000-0x0000000005508000-memory.dmp

Filesize
6.2MB

Download
memory/5304-2905-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/5484-12676-0x0000000073960000-0x0000000074110000-memory.dmp

Filesize
7.7MB

Download
memory/5484-12691-0x0000000005BB0000-0x0000000005F04000-memory.dmp

Filesize
3.3MB

Download
memory/5484-12697-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/5484-12708-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/5484-12719-0x000000006FDE0000-0x000000006FE2C000-memory.dmp

Filesize
304KB

Download
memory/5484-12739-0x00000000073E0000-0x0000000007483000-memory.dmp

Filesize
652KB

Download
memory/5484-12752-0x0000000007690000-0x00000000076A1000-memory.dmp

Filesize
68KB

Download
memory/5484-12812-0x0000000073960000-0x0000000074110000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads