Malware Analysis Report

2024-11-16 12:23

Sample ID 240321-1zlygsbf64
Target LDPlayer9_ens_1001_ld.exe
SHA256 6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd
Tags
zgrat discovery exploit persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd

Threat Level: Known bad

The file LDPlayer9_ens_1001_ld.exe was found to be: Known bad.

Malicious Activity Summary

zgrat discovery exploit persistence rat

Detect ZGRat V1

ZGRat

Possible privilege escalation attempt

Creates new service(s)

Modifies file permissions

Checks installed software on the system

Launches sc.exe

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Runs net.exe

Opens file in notepad (likely ransom note)

Modifies registry class

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 22:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 22:05

Reported

2024-03-21 22:10

Platform

win11-20240221-en

Max time kernel

92s

Max time network

207s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Creates new service(s)

persistence

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ReasonLabs\EPP\uninstall.ico C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe N/A
File opened for modification C:\Program Files\ReasonLabs\EPP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4212 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 4288 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 1460 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4212 wrote to memory of 3980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.0.308419672\1502400942" -parentBuildID 20221007134813 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {090dfe5a-2044-4f1f-8de2-1379a14b5875} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 1856 257b0fd6658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.1.807468064\1905529515" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcb8c57d-beb1-4390-8e8a-a56162e18f54} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 2252 257a4fe2158 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.2.784486280\466958520" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c702474-7bca-46c7-a20a-15258bc4cdc9} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3004 257b0f5b758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.3.77676369\107666190" -childID 2 -isForBrowser -prefsHandle 936 -prefMapHandle 928 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {344d3e6e-fdd1-4b42-9099-b8f360af489a} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 1392 257a4f61f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.4.499154881\1970499801" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36fa28a3-3743-430d-8e84-e2a95cbdf8ca} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4784 257b51f0758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.5.750373661\457467406" -childID 4 -isForBrowser -prefsHandle 4812 -prefMapHandle 5116 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82047441-1e84-4ed5-9e23-9ae45069d017} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5132 257b81ec158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.6.1268137637\1008957409" -childID 5 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3665f2a1-8aa4-4454-a540-c4f874d508ee} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5260 257b84b3f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.7.1725746440\1072110083" -childID 6 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab1f6352-ec3f-4c7a-9cc7-1d6f52576aa7} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5460 257b84b2758 tab

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayerex.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM bugreport.exe /T

C:\LDPlayer\LDPlayer9\LDPlayer.exe

"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=f77dd757b1d4a6c918c7f74c119f29c35f401c2e&dit=20240321220720546&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i

C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe

"C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe" /silent

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe" /silent

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91082 PaidDistribution=true saBsiVersion=4.1.1.818 CountryCode=GB /no_self_update

C:\LDPlayer\LDPlayer9\dnrepairer.exe

"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=131684

C:\Windows\SysWOW64\net.exe

"net" start cryptsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start cryptsvc

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Softpub.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Wintrust.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" dssenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" rsaenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" cryptdlg.dll /s

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t

C:\Windows\SysWOW64\dism.exe

C:\Windows\system32\dism.exe /Online /English /Get-Features

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\dismhost.exe {B5BDA299-25EA-4F9C-BF94-8C47AA74B0A2}

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnlockCompare.bat

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp4028823192\installer.exe

"C:\Program Files\McAfee\Temp4028823192\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" start Ld9BoxSup

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\LDPlayer\LDPlayer9\driverconfig.exe

"C:\LDPlayer\LDPlayer9\driverconfig.exe"

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SysWOW64\takeown.exe

"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Windows\SysWOW64\icacls.exe

"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\LDPlayer\LDPlayer9\dnplayer.exe

"C:\LDPlayer\LDPlayer9\\dnplayer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004B4

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda0453cb8,0x7ffda0453cc8,0x7ffda0453cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2028 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

Network

Country Destination Domain Proto
CH 18.165.185.97:443 d3n1ms4uhtqgov.cloudfront.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 178.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 97.185.165.18.in-addr.arpa udp
CH 13.224.98.99:443 d1arl2thrafelv.cloudfront.net tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
CH 13.224.98.99:443 d1arl2thrafelv.cloudfront.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
CH 18.165.183.15:443 encdn.ldmnq.com tcp
US 8.8.8.8:53 219.184.165.18.in-addr.arpa udp
US 8.8.8.8:53 120.185.165.18.in-addr.arpa udp
SG 8.219.4.49:443 middledata.ldplayer.net tcp
GB 184.25.204.41:443 tcp
GB 92.123.128.169:443 r.bing.com tcp
GB 92.123.128.169:443 r.bing.com tcp
GB 92.123.128.169:443 r.bing.com tcp
GB 92.123.128.169:443 r.bing.com tcp
GB 92.123.128.169:443 r.bing.com tcp
GB 92.123.128.169:443 r.bing.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 44.230.91.85:443 shavar.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
N/A 127.0.0.1:49804 tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
N/A 127.0.0.1:49810 tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
US 104.22.0.235:443 shield.reasonsecurity.com tcp
CH 13.224.98.99:443 d1arl2thrafelv.cloudfront.net tcp
US 34.214.100.62:443 analytics.apis.mcafee.com tcp
US 104.22.0.235:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 62.100.214.34.in-addr.arpa udp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 34.194.192.31:443 track.analytics-data.io tcp
US 34.194.192.31:443 track.analytics-data.io tcp
US 216.239.32.178:80 www.google-analytics.com tcp
US 34.194.192.31:443 track.analytics-data.io tcp
US 34.214.100.62:443 analytics.apis.mcafee.com tcp
US 34.194.192.31:443 track.analytics-data.io tcp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
CH 13.224.103.125:443 update.reasonsecurity.com tcp
US 34.194.192.31:443 track.analytics-data.io tcp
US 34.194.192.31:443 track.analytics-data.io tcp
CH 13.224.103.75:443 electron-shell.reasonsecurity.com tcp
US 34.194.192.31:443 track.analytics-data.io tcp
US 34.194.192.31:443 track.analytics-data.io tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
US 34.194.192.31:443 track.analytics-data.io tcp
US 34.194.192.31:443 track.analytics-data.io tcp
CH 13.224.103.50:443 cdn.reasonsecurity.com tcp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.133:443 sadownload.mcafee.com tcp
GB 104.84.78.57:443 tcp
US 8.8.8.8:53 133.71.91.104.in-addr.arpa udp
US 34.214.100.62:443 analytics.apis.mcafee.com tcp
GB 104.84.78.57:443 tcp
US 34.194.192.31:443 track.analytics-data.io tcp
US 34.194.192.31:443 track.analytics-data.io tcp
US 34.194.192.31:443 track.analytics-data.io tcp
US 34.194.192.31:443 track.analytics-data.io tcp
GB 104.91.71.133:443 sadownload.mcafee.com tcp
GB 104.91.71.133:443 sadownload.mcafee.com tcp
US 172.64.149.23:80 crl.sectigo.com tcp
US 172.64.149.23:80 crl.sectigo.com tcp
GB 184.25.204.41:443 tcp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 92.123.128.169:443 r.bing.com tcp
GB 92.123.128.169:443 r.bing.com tcp
US 216.239.32.178:80 www.google-analytics.com tcp
SG 8.219.136.97:443 middledata.ldplayer.net tcp
US 172.64.149.23:80 crl.sectigo.com tcp
US 8.8.8.8:53 en.ldplayer.net udp
US 8.8.8.8:53 ad.ldplayer.net udp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
US 163.181.154.241:443 en.ldplayer.net tcp
CH 13.224.103.35:443 ad.ldplayer.net tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
US 163.181.154.215:443 advertise.ldplayer.net tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
US 163.181.154.215:443 advertise.ldplayer.net tcp
US 216.239.32.178:80 www.google-analytics.com tcp
CH 13.224.103.78:80 apien.ldmnq.com tcp
US 163.181.154.242:443 en.ldplayer.net tcp
US 163.181.154.242:443 en.ldplayer.net tcp
US 8.8.8.8:53 cdn.ldplayer.net udp
US 8.8.8.8:53 cmp.setupcmp.com udp
CH 13.224.103.85:443 cdn.ldplayer.net tcp
US 104.26.4.6:443 cmp.setupcmp.com tcp
US 104.26.4.6:443 cmp.setupcmp.com tcp
CH 13.224.103.78:443 apien.ldmnq.com tcp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 85.103.224.13.in-addr.arpa udp
US 8.8.8.8:53 78.103.224.13.in-addr.arpa udp
US 8.8.8.8:53 6.4.26.104.in-addr.arpa udp
NL 142.250.179.206:443 www.youtube.com tcp
NL 142.250.179.206:443 www.youtube.com tcp
US 104.26.4.6:443 cmp.setupcmp.com tcp
NL 142.250.179.206:443 www.youtube.com udp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
CH 18.165.183.124:443 encdn.ldmnq.com tcp
NL 142.250.179.142:443 www.youtube.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
US 104.18.31.49:443 stpd.cloud tcp
US 104.18.31.49:443 stpd.cloud tcp
CH 13.224.103.78:443 apien.ldmnq.com tcp
GB 96.17.179.205:80 apps.identrust.com tcp
NL 216.58.214.14:443 apis.google.com tcp
CH 18.165.183.31:443 apien.ldplayer.net tcp
US 8.8.8.8:53 150.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 49.31.18.104.in-addr.arpa udp
SG 8.219.223.66:443 usersdk.ldmnq.com tcp
SG 8.219.223.66:443 usersdk.ldmnq.com tcp
NL 142.251.39.98:443 www.googletagservices.com tcp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
NL 142.250.179.198:443 static.doubleclick.net tcp
NL 172.217.168.202:443 jnn-pa.googleapis.com tcp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.193:443 yt3.ggpht.com tcp
NL 216.58.214.14:443 apis.google.com udp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
NL 172.217.168.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 198.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 193.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 3.214.58.216.in-addr.arpa udp
NL 142.250.179.130:443 securepubads.g.doubleclick.net tcp
NL 142.250.179.130:443 securepubads.g.doubleclick.net tcp
IE 209.85.203.84:443 accounts.google.com tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
CH 13.224.103.126:443 tagan.adlightning.com tcp
CH 13.224.95.222:443 c.amazon-adsystem.com tcp
CH 13.224.103.126:443 tagan.adlightning.com tcp
GB 104.91.71.133:443 sadownload.mcafee.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

MD5 7d5d3e2fcfa5ff53f5ae075ed4327b18
SHA1 3905104d8f7ba88b3b34f4997f3948b3183953f6
SHA256 e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4
SHA512 e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

memory/3240-12-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

memory/3240-16-0x0000000005E20000-0x0000000005E34000-memory.dmp

memory/3240-17-0x0000000073B50000-0x0000000073B64000-memory.dmp

memory/3240-18-0x0000000073290000-0x0000000073A41000-memory.dmp

memory/3240-19-0x0000000008410000-0x00000000089B6000-memory.dmp

memory/3240-20-0x0000000008000000-0x0000000008092000-memory.dmp

memory/3240-21-0x0000000009310000-0x0000000009354000-memory.dmp

memory/3240-22-0x00000000093F0000-0x000000000948C000-memory.dmp

memory/3240-23-0x0000000009490000-0x00000000094F6000-memory.dmp

memory/3240-24-0x0000000009A30000-0x0000000009F5C000-memory.dmp

memory/3240-25-0x0000000007FD0000-0x0000000007FDA000-memory.dmp

memory/3240-26-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

memory/3240-27-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

memory/3240-37-0x0000000073290000-0x0000000073A41000-memory.dmp

memory/3240-38-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\50098b9a-bf24-4f00-b5d3-7aa66794d07d

MD5 09c8390f4629826298e5d54bf94c5eb8
SHA1 144418e915a7aaeb645e2d925227c16fa072a28b
SHA256 fdf12540353d4b541522788f83b67fe559fdf7e67eaff30fd5a493e76dfd2aa3
SHA512 ef9edc09424e958bc3e082d9be702ce87a6cb843965d9552dcc2e4b4df6c61b152a2d5924c6288eeee57d363f792280fb2b16695c96c3a8fc5fb17d19b703aeb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\a4dd6a5f-bb29-43cb-8789-381df8d982db

MD5 938d4a526ee440d02fbff0a7d7031c90
SHA1 f50e5a4c6b7f2e83ec7507f6412e20e2e553ace4
SHA256 64e749a883ad1d3835e74c4124d8804b2bf8f14601598710f92482754bf46733
SHA512 74f0e047ce34112d91ab5b82edfea4a602ab43afa3af2d88e3df3b8b5146fe1ee987f51a583212bfc7d5256eb6941a86c2553e2799078241987f2b8c6c3d8530

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin

MD5 3719ecea7b6de2fea0a8f5f83bca70d8
SHA1 434afd695d29f9b398900b94a6cfa25c0da1ca10
SHA256 095edc1432140fa3587979f2d53b3a29683cd06bc66e965ec594d4a5bba48276
SHA512 6ba3d8240369e1dcb396d3c6100650a59327bd88de8dc2679ef384438b969aa8afdcba49917c2158daab0911ca9d7ed0532058d21adfa48ba61b06d4b265cf07

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js

MD5 908eb59849b915082dac5d628fd53150
SHA1 25f46f899920653dc59f9631255e08fc7a47d9d5
SHA256 7606f1c0ebfe813492f56ecf3ecc42f5a537cc239046eabc595844e26d2f0f0b
SHA512 ce6813b1d87df53f4e990da5aa67f3dfeff91da6f3ef26be8f0dc61c2518d1c07e62db48bf65f59a17d1a5bd3a5c82debcf95be04858fef9875fa9ff0f0e3804

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js

MD5 388ab23e6b23f5749c55c29ec159b8dd
SHA1 0a8956d3e500edc6bf8254edcf9ccfc31981618e
SHA256 61ce83925eea13e091d52c0d99688d103880c00a215ad523c720a9214917d813
SHA512 b056922d197f4c8314d4197cf28c26501553d5f123682fe849169ccf1d11460fc1dee2ec929086209a02a0f4ee72ab7fca6a2aa2f18a01d668e22a2422e25d65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c8774b9776b045f737fb097ccc56a879
SHA1 abdfec3c0d95b77fe4fc69306943baac4a334763
SHA256 87fd8986a380175ec17987b3f08b74c5870175f1d4a925d5c6422bbefcecf194
SHA512 32b504a7714dd8449a10f8f3f98fe7535394191799b83adac44ec18f3c6ef44e28364a148b948a46c33ce3a07e51365eccaab7b5469cad29ad34882f273efdce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js

MD5 86d335f0c1f8256fd67b577f27bdf307
SHA1 a741431374194c720fff09c50662fd58e244c5a8
SHA256 7710fc0b31ee9f96d8346655e3fd5dbdd0f2654547af3d18d312640e52435dcf
SHA512 1043e69507a3718a9d368bb53eee7a82b9d2efb82c8b4eede696e0b5a5878cad080dcc771746ae0f0e458474ae6deaaf4f38db23d6bbb950a1131070b7d1ea4c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js

MD5 409238f03adf1cb6162e7f143712cc4a
SHA1 1ba15f6cbc6aef8f5cacd3e3cb5ec759c75de96c
SHA256 f303cc077e5ed1b4d90c569602dfd178e6e166a28b45cee97403c50fe2760da3
SHA512 4cbb95a25f54f57e7f056f6a912bb7915d604730b41ce0dc375b212ce4170c1a174074120b4836d077a4aabd18430dce57827d927c1b532cce20737308f8347f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore.jsonlz4

MD5 f4d29b3d8d93577d6987004ffa7ab10e
SHA1 ce78f413dcfe67e166b8793d0550ceb0a52b5489
SHA256 29c87cd4afd0c237d21d784653873f7e9249de0ca3b31604f09f69349c3e7393
SHA512 a814a8c7157a50f02d62b8b9787a2d34f7e4c8cf0aa516528f0f868399c7b43f15129cc2f72ac0c4f00014ab9d552e9becf7affafa4d6859b3c2eb5e42408b39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionCheckpoints.json.tmp

MD5 948a7403e323297c6bb8a5c791b42866
SHA1 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA256 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA512 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

MD5 bb7cf61c4e671ff05649bda83b85fa3d
SHA1 db3fdeaf7132448d2a31a5899832a20973677f19
SHA256 9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534
SHA512 63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

memory/5300-230-0x0000018E00240000-0x0000018E00248000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

MD5 3e8d94bd3374ac5872a522eacdb2c5a8
SHA1 7a5dc0382665b5af03899ee0c6a5b23119bae87d
SHA256 d0a001f11de86edb6dfa30d4aa6a04ebe356bc59f92fe1baeea8cd3c3d112ee7
SHA512 aecf144434fa3e21621db3dfc1d4c435a99e4bf4b820836746c1039114be4c16f6436504f1f6fadff9ac4aa1477ebfe2fbd249e68547bce3d1b51558906d38e6

memory/5300-231-0x0000018E1ABD0000-0x0000018E1B0F8000-memory.dmp

memory/5300-232-0x00007FFDA6860000-0x00007FFDA7322000-memory.dmp

memory/5300-233-0x0000018E1A7E0000-0x0000018E1A7F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe

MD5 1fbe1bb0ca5fc21a4a22de67338b0c7e
SHA1 3e0936c34f0c1d9a0b5d831f1fa86718c8edfd97
SHA256 45dc6a6286d3496de8b6045d9021e5185af9d5af9236968e5eca87ea6d5621ec
SHA512 d0fcecc536088449797f67d2442be19d80f6147e8d66fd29f1c401a84185aeb0f2819ec8b4e6c06ac4e6de4c84d740fdbfa2b546f2bb6049dbe36358561bd815

C:\Users\Admin\AppData\Local\Temp\nszA93C.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe

MD5 41a3c2a1777527a41ddd747072ee3efd
SHA1 44b70207d0883ec1848c3c65c57d8c14fd70e2c3
SHA256 8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365
SHA512 14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

memory/5720-307-0x00007FFDA6860000-0x00007FFDA7322000-memory.dmp

memory/5720-308-0x00000259C0FD0000-0x00000259C1058000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\rsStubLib.dll

MD5 a16602aad0a611d228af718448ed7cbd
SHA1 ddd9b80306860ae0b126d3e834828091c3720ac5
SHA256 a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a
SHA512 305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

memory/5720-310-0x00000259C2DA0000-0x00000259C2DE0000-memory.dmp

memory/5720-312-0x00000259DB4B0000-0x00000259DB4E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\rsLogger.dll

MD5 83ad54079827e94479963ba4465a85d7
SHA1 d33efd0f5e59d1ef30c59d74772b4c43162dc6b7
SHA256 ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312
SHA512 c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

memory/5720-317-0x00000259DB5A0000-0x00000259DB5B0000-memory.dmp

memory/5720-320-0x00000259DB5B0000-0x00000259DB5EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\rsJSON.dll

MD5 f8978087767d0006680c2ec43bda6f34
SHA1 755f1357795cb833f0f271c7c87109e719aa4f32
SHA256 221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e
SHA512 54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

memory/5720-318-0x00000259C2D70000-0x00000259C2D71000-memory.dmp

memory/5720-321-0x00000259C1470000-0x00000259C1471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\rsAtom.dll

MD5 9deba7281d8eceefd760874434bd4e91
SHA1 553e6c86efdda04beacee98bcee48a0b0dba6e75
SHA256 02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9
SHA512 7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

memory/5720-323-0x00000259DB5F0000-0x00000259DB61A000-memory.dmp

C:\LDPlayer\LDPlayer9\LDPlayer.exe

MD5 9cb68d362c41827e38fed4b355a16500
SHA1 7646cb57fe5449339bce79de9479e7c7f15158f9
SHA256 fcd79aad3ee0bddd5a0be3aebea15f51e225f55959897bcbce18bbe806b0cb97
SHA512 dcf97cf0e7c88f0620206957dbc8cda772bbe4565e31825581172c5fea25bc1b2f033db7dbe4d3860cc8b800943e62ac58f6bd92d44d477d1734693a689d12e9

C:\LDPlayer\LDPlayer9\LDPlayer.exe

MD5 f487389f04bf2facbf752318bafff6e2
SHA1 b02ae5a0cb0deb28b3552cad3b3e7dccda5781d2
SHA256 0f72528cb36c7cfcb6fb22783b81bd83b08ecbb72040d1d3637a46ff1c589dfe
SHA512 c6cc724b2f79428cbeaa801d6f54fef3507ce4976e34a20d8baf238ff82879895ba44c0c51c066f086a1a883cb34006b38edadd532e568b42380265197fa9355

memory/5720-327-0x00000259C1490000-0x00000259C1491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\Microsoft.Win32.TaskScheduler.dll

MD5 a09decc59b2c2f715563bb035ee4241e
SHA1 c84f5e2e0f71feef437cf173afeb13fe525a0fea
SHA256 6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149
SHA512 1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\uninstall.ico

MD5 af1c23b1e641e56b3de26f5f643eb7d9
SHA1 6c23deb9b7b0c930533fdbeea0863173d99cf323
SHA256 0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058
SHA512 0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

memory/5720-332-0x00000259DB910000-0x00000259DB968000-memory.dmp

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

MD5 ded746a9d2d7b7afcb3abe1a24dd3163
SHA1 a074c9e981491ff566cd45b912e743bd1266c4ae
SHA256 c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3
SHA512 2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

MD5 143255618462a577de27286a272584e1
SHA1 efc032a6822bc57bcd0c9662a6a062be45f11acb
SHA256 f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4
SHA512 c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

C:\LDPlayer\LDPlayer9\msvcr120.dll

MD5 814a24f351af5c60025d998b740c65c8
SHA1 025a910474eaabdf6cc14f40a107596cdd508eac
SHA256 109818b3a438f257e95d06a2d14c1370d0318a8f53dd4f0168ebda6e65731b69
SHA512 9a8ab5b02628ac4d2cb63055925a4e839748acc097de1ca5090700f5e73917ccbae75ef5235341906db0f0dec286ed414cadef4afa8153efa6b1a21e47aa5872

C:\LDPlayer\LDPlayer9\MSVCR120.dll

MD5 fa86edfcafa1385e75f5e4c3a80052f5
SHA1 9731ea43b933b1b2d8bfdf1bd6ec929c67efe17a
SHA256 ab1d341dd3827add54a7eef30bbfb72a6761a41fbd40100ea218c44a83960698
SHA512 ab4da39bd9fc50938c170476126c5b8e3a1b5b042ebff1294baffdf4b122b3d18d8ce33b9815170e626bbf96073543fa6d911bb4ad94cd57af3501dcecb1f8c9

C:\LDPlayer\LDPlayer9\msvcp120.dll

MD5 50260b0f19aaa7e37c4082fecef8ff41
SHA1 ce672489b29baa7119881497ed5044b21ad8fe30
SHA256 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA512 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

C:\LDPlayer\LDPlayer9\MSVCP120.dll

MD5 e7ccf2de8dd966aac85175015aa260ff
SHA1 1d54b23554403bd4d283a706b855890d30ac8b7a
SHA256 bde6654d7f0cdeca2057f508816da79833612ce6c55b082aed203b5a239aa3b0
SHA512 1dbee4b7125face0a5d9c7f39e84f1e7841fe7f17d1019c15be1ba536998256800bf017037fac3a8f276c23dc94167ae61e2df42c26796ca579c75746c9bf63a

C:\LDPlayer\LDPlayer9\dnrepairer.exe

MD5 24d726cc9b64209b59c527a4b7533051
SHA1 63c1f7dbc732645f90ffacbdfdb7483570a4824e
SHA256 b452af56f5563b435e5c9ecf0f65e32ccc219eadafb221c268ccc593865d17f7
SHA512 da53366b67fcb41f8f1ff36bbb98f8f5c7c1e97ca123ffedbb0e7019a6c1402c0988487c052679fc867d22c957e4a9d6f82304fabf98e3a0660c624d1c1578fe

C:\LDPlayer\LDPlayer9\dnresource.rcc

MD5 447abfde32c41573dc5bf02c29aa3956
SHA1 f6509344c772143900195f28727630e85057c77a
SHA256 ffbb0bf6bb56e4a2b0aa80de9ec5ae7794e009620938414c9be07fb300c50ff3
SHA512 ffb9026b8ef40c2702693cefb5fa1ea539044521f84fc214f943a69ecfa717185e3dec3a09d2ab17f8fecdb4fd8c9b94f59fd9c5a8770933ac2550d839bc4f4b

C:\LDPlayer\LDPlayer9\crashreport.dll

MD5 ab2970e1128ad247ad84c88270f1208c
SHA1 7efb9bde29794270d6bc2688ce2d1304bc95771f
SHA256 3734164dd3de192b57290890e7c98a50d39038dcb94f870c0269af5a7b97a978
SHA512 3f616db170d8297f47a35770d737a20bfc8fc280ccd04b57f95b8fb27576d36fa8b9f604547c4d91bec2470a4e89ecfbf3f528977cde1a2930ea8891ba3f758a

C:\LDPlayer\LDPlayer9\dnrepairer.exe

MD5 646407cb1fd994aad9e2cfb189e0f4f2
SHA1 217eb3f0cafc99db968d7799a79387c4b7d8f3b2
SHA256 611002ab14db3f55593da54d3529a3e6279c7d87fb3b1316a3259fd091dcb5bd
SHA512 1fd304c88c71a19fd23b3b18b545988a9fbfeb3193d574c6974ce62c7686b2e216e6c27413dca20741ce92a524865c86baf7b38a03b39a5ef69c3c2f0600dd13

C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

MD5 4aa39c9dbf635d33c81757bdf62617e3
SHA1 8bf8fee70126db805c38648a315c34f94edfb94e
SHA256 d69cd1c4cfa063ca25c9d8629e01c045f279fed7daed6f49a06bf5f09f44a21c
SHA512 3ffce45e4f7c4dc57f7d0039aa04bb5a2c3bcdfe5363b5385f626f3359cc087582f5af8838f62cec4463e37d88318479e0aeb2e6944170985fe757a528ea2424

C:\LDPlayer\LDPlayer9\system.vmdk

MD5 63442c561ca895822df0d4d1d82717b8
SHA1 c7aca9bd2b2ac0b59091829bf5cdcb2784c39493
SHA256 714d65523115f6daf90fc76e9a43e4dab43719242c7a220cc2cd7d3983469443
SHA512 8e48b539bb0993fe2e8d069f148b892f872f8a6832b49b985456447dac7e9a432a686c03f7c0e666080d561c783e672c021b12b4e2380e602525ed88102277f5

C:\LDPlayer\LDPlayer9\system.vmdk

MD5 cec3ea83ffe1bcb7d9a776b7cb305215
SHA1 9d1a817802e38351ddf77815e5bf372397f85992
SHA256 21b9df1484ef82f2cd4fb21811c239188690faab33ed08f97e5856dd4424ad4d
SHA512 8dad20f909041236e32cfc000a1c9cec5108f1b1b9ff1b394f664a2d5bf35dd1434bffc649a4dfe873c43a8019c1fd0412fb75ffe23b2f63151d358bdc2153ec

C:\LDPlayer\LDPlayer9\system.vmdk

MD5 9f5a34555216a59ec9a4058960ffd31b
SHA1 63f29bd3bb8d96b5a468f6df5b9e5698b460370c
SHA256 f21b524f336f3e2313ca3466071cba03fed986731daf3f77b9ac17900698815a
SHA512 c8c963e03e3a4a2b21d36608814c2e4bb07c3a303aef1fb4348e1b5075aa235fa942cfddcc16f907d35165d355ab29211d3b9f4c8f1cb8e7539348e8309fbe3c

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\DismHost.exe

MD5 17275206102d1cf6f17346fd73300030
SHA1 bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166
SHA256 dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6
SHA512 ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt

MD5 864aac1ad87391c05f0f205655dfc5d2
SHA1 1307a834acb4592f01e949c9cf4b277d8e32ce9c
SHA256 f9d66e16b22b6cd83e54413b3b16ef3c188267c2e697fd4b57d2ee2dac8a4133
SHA512 1d6edbe8cb6af9af704b47518c31a44525faa758b7dcb840c4ab26b876b1f5853f7f1517d7ec7d0872335487221e2f678ad2c99828fb930a156b52cb8c2f7be2

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\DismCorePS.dll

MD5 7f751738de9ac0f2544b2722f3a19eb0
SHA1 7187c57cd1bd378ef73ba9ad686a758b892c89dc
SHA256 db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc
SHA512 0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\DismProv.dll

MD5 2ac64cc617d144ae4f37677b5cdbb9b6
SHA1 13fe83d7489d302de9ccefbf02c7737e7f9442f9
SHA256 006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44
SHA512 acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\OSProvider.dll

MD5 e9833a54c1a1bfdab3e5189f3f740ff9
SHA1 ffb999c781161d9a694a841728995fda5b6da6d3
SHA256 ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85
SHA512 0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

C:\Windows\Logs\DISM\dism.log

MD5 faa6037dd189e776ab87f1f9428e553f
SHA1 be8d403cc80996752b1412da2f65e8bdd327c542
SHA256 8e127bd55af6205862a04ad729bb94ecf3e443f494062f7c2d0607ac775d5b74
SHA512 cb0cc5368897becab36b2a347704024883341026a406a583976197d34074e310a52724b63e6282ece487811a03c8976b56912e583b2cea57727a99ec63f8039b

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\ServicingCommon.dll

MD5 07231bdae9d15bfca7d97f571de3a521
SHA1 04aec0f1afcf7732bc4cd1f7aab36e460c325ba6
SHA256 be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935
SHA512 2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\WimProvider.dll

MD5 bcf8735528bb89555fc687b1ed358844
SHA1 5ef5b24631d2f447c58b0973f61cb02118ae4adc
SHA256 78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c
SHA512 8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\ProvProvider.dll

MD5 2ef388f7769205ca319630dd328dcef1
SHA1 6dc9ed84e72af4d3e7793c07cfb244626470f3b6
SHA256 4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf
SHA512 b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\Ffuprovider.dll

MD5 a41b0e08419de4d9874893b813dccb5c
SHA1 2390e00f2c2bc9779e99a669193666688064ea77
SHA256 57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3
SHA512 bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\Vhdprovider.dll

MD5 8a655555544b2915b5d8676cbf3d77ab
SHA1 5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2
SHA256 d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27
SHA512 c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\ImagingProvider.dll

MD5 4c6d681704e3070df2a9d3f42d3a58a2
SHA1 a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81
SHA256 f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137
SHA512 daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\TransmogProvider.dll

MD5 c1c56a9c6ea636dbca49cfcc45a188c3
SHA1 d852e49978a08e662804bf3d7ec93d8f6401a174
SHA256 b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf
SHA512 f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\EdgeProvider.dll

MD5 c22cc16103ee51ba59b765c6b449bddb
SHA1 b0683f837e1e44c46c9a050e0a3753893ece24ad
SHA256 eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b
SHA512 2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\LogProvider.dll

MD5 c63f6b6d4498f2ec95de15645c48e086
SHA1 29f71180feed44f023da9b119ba112f2e23e6a10
SHA256 56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde
SHA512 3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

MD5 2930840239b2e57888e0aa0eb996e910
SHA1 61a3f5e8465e46561e43b2aae7b5ba07188c7a4e
SHA256 dc68a8073bc97fcd5b74bfd64ed6560e12fd469677bffed5668dda8a6daa9f24
SHA512 57cbb9293ea940d5f83d93292cb6494fc6ee5ad67608a4175d82ffc3b37ba8c75702961e3624f79408cce689dfa4fcab39016ef991eaa77932d704761233a4aa

C:\Windows\Logs\DISM\dism.log

MD5 ff4a4a3beb8962980b3027db10fe743d
SHA1 67e8d1e51ab4339f6d9a2bdf7804c33d831ef5fd
SHA256 c5678317ba581d7d83133d02db416b49cba4402d33ea065b006a3bd6466c1811
SHA512 8656a7235561437a510e27439e2f8b44731fc8007951157d84ac653fc31e78305044700ffd297303484d1ecf4a28781da0a321805c22ed10084d86788715c33b

memory/1608-959-0x00007FF77D330000-0x00007FF77D340000-memory.dmp

memory/1608-967-0x00007FF77D330000-0x00007FF77D340000-memory.dmp

memory/1608-993-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp

memory/1608-1036-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp

memory/1608-992-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-983-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1075-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1063-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1076-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp

memory/1608-1133-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1171-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1176-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1180-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1214-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1247-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1223-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/5300-1293-0x00007FFDA6860000-0x00007FFDA7322000-memory.dmp

memory/1608-1292-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1312-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1303-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1393-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1369-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1396-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1372-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1410-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1451-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1316-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1276-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1272-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1778-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1813-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1814-0x00007FF77D330000-0x00007FF77D340000-memory.dmp

memory/1608-1815-0x00007FF77D330000-0x00007FF77D340000-memory.dmp

memory/1608-1209-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1841-0x00007FF77D330000-0x00007FF77D340000-memory.dmp

memory/1608-1835-0x00007FF77D330000-0x00007FF77D340000-memory.dmp

memory/1608-1164-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1861-0x00007FF76AF20000-0x00007FF76AF30000-memory.dmp

memory/1608-1871-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp

memory/1608-1873-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1869-0x00007FF779D30000-0x00007FF779D40000-memory.dmp

memory/1608-1876-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp

memory/1608-1872-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp

memory/1608-1880-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp

memory/1608-1868-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1864-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp

memory/1608-1870-0x00007FF76AF20000-0x00007FF76AF30000-memory.dmp

memory/1608-1867-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1866-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1849-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1860-0x00007FF779D30000-0x00007FF779D40000-memory.dmp

memory/1608-1859-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp

memory/1608-1857-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1852-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp

memory/1608-1851-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1161-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1142-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1123-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1106-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1070-0x00007FF774540000-0x00007FF774550000-memory.dmp

memory/1608-1034-0x00007FF77E770000-0x00007FF77E780000-memory.dmp

memory/1608-1031-0x00007FF766C70000-0x00007FF766C80000-memory.dmp

memory/1608-1051-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp

memory/1608-1014-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp

memory/1608-1012-0x00007FF774540000-0x00007FF774550000-memory.dmp

C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

MD5 b61e94bccbf70547f1c095c136c5b893
SHA1 c68e63a7b2a3484cfd56bbce7d23e2b677e5ec26
SHA256 65acc657378c1aaa4a3ce763272539a61e29de39d7dab88f7b3aba8ebb6f25ca
SHA512 242980ffd5c5135847a44e8a3d1959ed34372d7cc72d82590aaeff220ef27d0f1fe3810e902fbeded791fcd5c2364d2b4e2ca51bee1799ecf92343340b86db5a

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 667f58966983c2ed22ce69c4f1b51152
SHA1 2d6792f5d2498510d1f9d2914de9d9c56faeba57
SHA256 deacd5d946d1c0df7811fc5a97c89b8c197f134f2005b4db3f5ff7c8162fdced
SHA512 36b39396552ed484f9c7d18eb109c1c4cf920749289850092726774c6612bc1b3cc3fa03782e7bd41df968ba60492432601bb28e3903a8cf4dbfd93b903c88c8

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 a580a8daab3c6a924f69fb703bebb137
SHA1 7deedc489632e50f1094f8a7c12e0470d30af5c8
SHA256 247df49fba2b96b3fba616ea96f215f33e3383e16ab10948f1d52839a1d7717a
SHA512 0a3cb39c4fc4ec95d38dd3001b0de2079f3c92e3cabf40a8ea58ef7acaee8f31721df9b331540b9e75129fd6a24a2060f94fb62a208e678d11e939d4ac2b2564

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 48f8bb1f399839c7c6531e17b73b95e2
SHA1 2e9657f71181e8ffce19c42071df658d07a82561
SHA256 9254d3f9463a77b9d2034c97607114fadede9f5cc609a0ff2abbb6e36c3d2f46
SHA512 e19dbeb8773f2a4e414144d7266e8c0c820c7d9a6da290b9c59dcfefcecdcc6979042fe001078f59f856c874ccbce95b58cbcf0ecf83ad0e911f0c6997c1b3dd

C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

MD5 a5295cc6836cdfbf93589e0f82161aef
SHA1 79c3b21a14d9b7d7a2284b792ebfdb7f9a313772
SHA256 22b2b26177c58244337dec538a95df735cafd1dab6b3c1804c5cf5a03dbd765e
SHA512 8cc8fc9e3348d066d4e72933efdb1134fb6c3b5d603c2235b312621ea31dddf60dba26b9c8e8b6705dedecb7a3a84e7792929dd8cd95ceede992eeb1323970b7

memory/5300-2561-0x0000018E1A7E0000-0x0000018E1A7F0000-memory.dmp

memory/1168-2562-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

memory/1168-2563-0x0000000073290000-0x0000000073A41000-memory.dmp

memory/5720-2566-0x00007FFDA6860000-0x00007FFDA7322000-memory.dmp

memory/1168-2567-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/1168-2565-0x0000000005610000-0x0000000005C3A000-memory.dmp

memory/1168-2564-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/1168-2786-0x0000000005C40000-0x0000000005C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2mbzjp0i.0ob.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1168-2790-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/1168-2791-0x0000000005F10000-0x0000000006267000-memory.dmp

memory/1168-2793-0x00000000063A0000-0x00000000063BE000-memory.dmp

memory/1168-2794-0x0000000006460000-0x00000000064AC000-memory.dmp

memory/1168-2819-0x0000000007360000-0x0000000007394000-memory.dmp

memory/5720-2818-0x00000259DB5A0000-0x00000259DB5B0000-memory.dmp

memory/1168-2820-0x000000006E610000-0x000000006E65C000-memory.dmp

memory/1168-2829-0x0000000007340000-0x000000000735E000-memory.dmp

memory/1168-2830-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/1168-2831-0x00000000073B0000-0x0000000007454000-memory.dmp

memory/1168-2832-0x0000000007D40000-0x00000000083BA000-memory.dmp

memory/1168-2833-0x0000000007700000-0x000000000771A000-memory.dmp

memory/1168-2834-0x0000000007780000-0x000000000778A000-memory.dmp

memory/1168-2919-0x0000000007990000-0x0000000007A26000-memory.dmp

C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

MD5 9325d30c49e8c7f028c75e981cbe372b
SHA1 9183a89a3d12e0cb5c3cf6346e6d945ba192d460
SHA256 724f3291e2dab8468f165e9feba751a272061a08b38a5466d5e62e4cb191c8d3
SHA512 96fcdfdfc0160edcbebffd766967d6c3cbe59041bdc8f8cc372272a62926e6d4a29feef6fce3f5efc93722db3bb8e47304853f2ade368b8f5f4a8c550bc045a4

C:\Program Files\ReasonLabs\EPP\mc.dll

MD5 51b7ae854dd15a3fea35e62c6ad02a81
SHA1 2588d6117556af4a4d54c6fe5413d42903506348
SHA256 12c69253a0448dcf3707b13d58fa83512c51fd19a62f734a46665821022a6b3c
SHA512 6341121ed27e6d26f2e7ac6e203ab322ea8bd1f1326f7deda650cc7cd7fe52b259bfc1f5f50f1244832541b4bca6ca15b24c14d6dc37ad6d0484fb06189dce3e

memory/1168-3063-0x0000000007910000-0x0000000007921000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

MD5 bc54a9edc2333be36d0dd61a3bd4d0b8
SHA1 1d78add512ccbdf8ff2b61e78a44c74539de93bb
SHA256 e740c735445e11880ba9eb277e98f275c0dde379fe7110c8ef8e37cfbc46ebe1
SHA512 1dc762bf815fc259d87774fd8fc5bcb2b76f3572d1064d29f5c4a0a07d9bf64529f7c3f88e3dfa053d3582ce75244384e0484d0a2dcdb33faf1ca4bf8374a63f

C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

MD5 84b2b41c01f9bd684690e8f28f62d3ef
SHA1 9b850417c1588205f88a438bd73171c461f30ee6
SHA256 31593aade3b89dbde7fa9286eb7d843ff9f2f3b4a814003684537f3e5d495405
SHA512 0cc0ed57ecbb9add0086229b212405510b4cc3c1424a1f934a08841a1d022a2abed349b67fad3ab6087addc618f9374f2e0f1ac765d9d593a617da87662eccd5

memory/5720-3065-0x00000259DBD20000-0x00000259DBD70000-memory.dmp

memory/1168-3094-0x0000000007950000-0x000000000795E000-memory.dmp

memory/1168-3096-0x0000000007A30000-0x0000000007A4A000-memory.dmp

memory/1168-3212-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/1168-3233-0x0000000073290000-0x0000000073A41000-memory.dmp

memory/5844-3270-0x0000000002360000-0x0000000002370000-memory.dmp

memory/5844-3272-0x0000000002360000-0x0000000002370000-memory.dmp

memory/5844-3269-0x0000000073290000-0x0000000073A41000-memory.dmp

memory/5844-3282-0x0000000005600000-0x0000000005957000-memory.dmp

memory/5844-3403-0x000000007FC50000-0x000000007FC60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\d85da5b2\39f70169_dc7bda01\rsJSON.DLL

MD5 0dafb2d6fa0141c6041b5ed60c985b71
SHA1 2dabbfde1908850a45191a4812a90c27149b9a8f
SHA256 7461ffc8e5d7f3a44d4aa5eb55d632a20deaa6e36bfd8bb5412579d08f29bb0b
SHA512 772cbd3a42a417582db0213eccdd58dcc739cba8d09866749d4f99a201d2f6af9695fdffd5d8b3d86bea9fb3e0c9b8c50209760295f113951110d5f875e7f58c

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\ea7ca16d\39f70169_dc7bda01\rsLogger.DLL

MD5 d47f70a3029d2ec39f314590be3a443d
SHA1 967dce350ce3795ca35345175c8850f991c86156
SHA256 32e1c5dc6d61c4409d525b446eaadbcb16dbc4611fa5a0539624e710cd31568c
SHA512 b33067a09e7d29cfc4dd162e19316bed5e02ea2a71bd68786daea6d0f7dd31d884e2a730dc0376702e2c4509b46e9b495c51ca6448b8b3af6d343a5efff7617e

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\3bf791d8\6433fd68_dc7bda01\rsAtom.DLL

MD5 6201ed501632589169335f0851ca9440
SHA1 eca7c84b94cd39d35c752f1265728062f1f0e750
SHA256 009473efe1b6e3f8922c87fd2f5c8a82ec29ac158d2308a04f6a9fbe43a4e75f
SHA512 7a264bdde7165ff551a8f0079e1fbbca6cb4db8ba2c4dea3d7e9691c9c37a382e3d1c980b2e35f6470a94167be882739afe8bfe6e53265d32415b13c73ce5b6f

C:\Program Files\ReasonLabs\EPP\rsEngine.config

MD5 8d5da17cce79e4d5c656f70dde8d52f0
SHA1 e679d7a90a42b70c535558e8b6bae5f6756da930
SHA256 cb85b2b20abd9d2180e6ef707c163a634d7bc5b7a159412a3d9bfb998fe5965e
SHA512 b7ba2a20bb3314f9f211e546d1c78d5191caa4cd149d64a6480432aaf73152023be9339094d2f6ee7a968e6f3e870b20613482d5d3e01f8afa5867bd9206d5d0

C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\aad67f2d\da810b69_dc7bda01\rsServiceController.DLL

MD5 eaade2a045075e6d194e5b117e479afd
SHA1 a82d4fa02932ea2b7ac8c66bcab023863080ad37
SHA256 8d08a5a93cd324d989400d52ef7cf42b8ad775a93c639ba0c26b4461a7530d39
SHA512 6190498ad51da769e967a8c381b61ff7575df3320b39566ce543ee53769f449646b48a80d2bcca71c7e8d5ad2368cb9742a58437b55c64c218fbb6cf641497a2

C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

MD5 f0f1e170ce1040e80e61154c6dbe3303
SHA1 fb4fb0b55f0114faa440b557731ec79c7e12041e
SHA256 e3eae0eea479ae34405bab220fa576c355ff55f0c5022e197eb8b056d7277aca
SHA512 f47c4492ec0cb8c1b2cef238895015fb75fc9dd046a8c7972dd121d3e4e0cbbcaebaf8870245bba3a7c54880d19fbf4ed51f02f9413fab723b2edc50831c1ffc

C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

MD5 11c5b75b4243292a1ac3bfe7c645a8f1
SHA1 3283d147c81acc63b93f85d93902ffe727ecfd4f
SHA256 b0ef9e96c7bfc54db2283d4a1af778c4e034ca71566f3149de945a10136c1812
SHA512 a886f054b5e90f2479f69f51108dcf90ef2ffd7321e2cd1c75050d013de8264fac9510a201c67f922376b6e07c41cd43cc6577b1a91291c3327d26a33466fbc1

C:\LDPlayer\ldmutiplayer\msvcr120.dll

MD5 7aca0a18284f6a6f5f441c2847a36947
SHA1 21cea847c6e87fe137a4446e388cf8cb06033642
SHA256 bd02423dadbfeb2deec6ab7c98ca7a78057491629d589507adcda6db55108076
SHA512 3f70455634c809f921f8c08269a4e419564851b84f1531175788102d7381666e48a3b94a2bee7ead5c05f2455b4bd653bcb31843cc96cccd7769eab0615ebb4a

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

MD5 61e7de0fb11e94079bf456959e67b30a
SHA1 bd04014614867eb7317f6dea1caa5a244254d827
SHA256 89940b1e8babdde5c9ab4a14067ff099ddcbd128073b37f74daf0b70b76fd077
SHA512 15a39cd65434facf38a32cf20e6e0883b3596db8d15b8a9751d75321f995ca72d4ca61a81c30942a74a1ee8e0e5be0c40b159f9feb868ca8b449d1f586f0490e

C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf

MD5 9f48a550c1af13a56e193fef5009fcc5
SHA1 5e74303c9aef5cc22b02c2b05130822316d835ec
SHA256 5619cdaea72726d350adce41ea3ecb13947805fa9d6054ebeba63a34c424ecbb
SHA512 568f5a13eae2effa4b1b760e6191f9f43fb4a3d6b54dfb57211c2b0290ece3c86014e7ca5925cda9526165d4083efc79f9a1d800e4a27726edb3e1e51699ad9a

C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf

MD5 4acd5f0e312730f1d8b8805f3699c184
SHA1 67c957e102bf2b2a86c5708257bc32f91c006739
SHA256 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA512 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

MD5 0d19e0478699e3723d7dc5f3535953db
SHA1 f63e0507769d0ca85b3d8f884d87f971861bd3c9
SHA256 95e0c2e2e578fb7e6500854d0c830a852035a3b275aa6fd07eda927863d39da8
SHA512 b4eb88c907db16cc17e8b3638434b7641db831bed74f190fbe4e435fc1b49da9748d9ea74a1fe5473ef4eb65f1aa993dc75aaba8be92ce92b204f997544951ae

C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

MD5 8129c96d6ebdaebbe771ee034555bf8f
SHA1 9b41fb541a273086d3eef0ba4149f88022efbaff
SHA256 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51
SHA512 ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

MD5 52c43baddd43be63fbfb398722f3b01d
SHA1 be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA256 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA512 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

C:\LDPlayer\ldmutiplayer\libeay32.dll

MD5 ba46e6e1c5861617b4d97de00149b905
SHA1 4affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA256 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512 bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

MD5 2d40f6c6a4f88c8c2685ee25b53ec00d
SHA1 faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA256 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA512 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

MD5 34a7f5104b6ac467f879ad2e792d3ba0
SHA1 f7676a590a5320dac2a71acb637176f614a60758
SHA256 1afc3274c26f160ff65b1e29cb334d2fd6459954e873a26c4e83e2073aa8b478
SHA512 1db2abe306d591be381c922ee733007bf39df6b3b275ddba563031db421567d67a9ed3af4e8452ae415f216f3a13bd6a4626786b46e662293726edc5a6604ff4

C:\LDPlayer\ldmutiplayer\ssleay32.dll

MD5 0054560df6c69d2067689433172088ef
SHA1 a30042b77ebd7c704be0e986349030bcdb82857d
SHA256 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

MD5 ad9d7cbdb4b19fb65960d69126e3ff68
SHA1 dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256 a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512 f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc

MD5 c96c70c859951cad5152d8cb66be615a
SHA1 104f011210f5d31e9dc7291942025dad68a9721e
SHA256 fcbdf04b0f2baaeacf9893ff193f171002792a1241386527283f960f2846c7d0
SHA512 6e4bf31dedb5e6200d243cfddaab760bdd811a337d6bf07e9f6ca83a6713b00a033b1a12ccabd3d9664cdc68c3dfa61b524ca0af676f8b616d0c0afde28fb002

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

MD5 aac4d2aae2be727d4750c7f10bbcc625
SHA1 242b86a5b7105411f828ca3720eb07c0ef026b05
SHA256 6467f8be9c2847a4acedb584ae28c0c998d43e594c606ddae6268d30776fa638
SHA512 a88388e95d0ea60138ca7cf337e5f92199277a2f636e66795914cfb1c2e7712ab6b87bac5a30e46fa5d6893a93cea76f88050075dd656ca7accc0424a9b67d0f

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 1264314190d1e81276dde796c5a3537c
SHA1 ab1c69efd9358b161ec31d7701d26c39ee708d57
SHA256 8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5
SHA512 a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9

C:\LDPlayer\LDPlayer9\dnplayer.exe

MD5 1f5af2baaa21d56ac7e657acbbce1c45
SHA1 5d78718496b55b9b1ca51a370cfe835d0d5897f7
SHA256 4f835ccd0bdb14a1145d68bd8dcbeb921e201f986375ca4244118014a391a828
SHA512 1a00147f110b3732505269c34cd8fcc98148c474b08d7850eded90df6a99b5769f8fbbb57ed633d909409ea3cf45f457815b4490f4b1a673c398d5c8a6e78c78

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 43fbbd79c6a85b1dfb782c199ff1f0e7
SHA1 cad46a3de56cd064e32b79c07ced5abec6bc1543
SHA256 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0
SHA512 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

MD5 4eb4a09f1f14126573e02fa08981a8a4
SHA1 549b402a93c7fec943a4dab2d131584c077ee57b
SHA256 3db364c8181620999245cab3a0b86dfb87aeae0231df3d28b0e25ac0beb593ff
SHA512 36ae8f4eca2996057167ecf7ba102f1ec2ad7f0534bd322672fae8259a711ab2486ec1fcb0ba89087309c75ff925ab53bcc1e96b066078b91d723a4b7d3f9c99

C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

MD5 8317bcf206e0ce040f1bbb6b9a7f3bdb
SHA1 36a9851c966c06253e3a3753dc0ebc1fb721b614
SHA256 9124b282b6a4c663092093a8478f82ebc6833f552e3280d7a9a5856f1b81e55f
SHA512 12531b223f33720b379168081791897e3884ea9a5a98e1a2bf88328fcdc0113fd56ff3a36560ad49a7b3a2140861c4b2b6399b0b0f3a29b9839f6f20cc1bce1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 19a8bcb40a17253313345edd2a0da1e7
SHA1 86fac74b5bbc59e910248caebd1176a48a46d72e
SHA256 b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA512 9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 96899614360333c9904499393c6e3d75
SHA1 bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256 486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512 974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eda942112fd743383f18abd4211e4e16
SHA1 33770f4ca1c8dc8f911d130a232070f37beea6ae
SHA256 4213cb17adaf6a5101ade42ddd5c48683ee6ae7cf45d629b2d6f655e1bb4e650
SHA512 a12fe0e5851a1fa9c5e27ab2bada691c94ccfe759cb29646a0449bea4da39d90eccf1ec75c94d24d20841a497b1d7f9f40a8b358de9fe9499b62e2d1fc6832cb

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 38ccd4e9d9fc7394d78bae4fdda4cec5
SHA1 29d290baf6ac4ff7ddb3bfb6e4793c511d6e909f
SHA256 0b3cf9a32b0ca88b4ec325775709a0f3a526d97097c63c735bd7a96e0b1f18d4
SHA512 74f6f6628a77b8f7fabd19bfcebe40b39ccb4f3ab43ff2325bf91fe77b49d7a2e7ee3b1cbbbbc1f6667b80562cbcdbe82609751ffa3ec78dcb0bbc4cf46d676d

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 58e41d4dcd4bccd813d8d952a5c78fbe
SHA1 f75e6c6bafb644b913c7d91b1037a53229e35778
SHA256 90a7d2f430cc2a9dfc157a2769b5778b88d5ef3aa35718afe5add23d8716cedc
SHA512 429db6eea1d122198e43a1988187a7924863a6f318db6b522642dd4c95e2f72e9fb17e9cd73a7abceadb15c8daabee100bc1aa1fb32861bbeba03b3c2edba9aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0be3c73c4e7b122ca2c25bc04ec13791
SHA1 669c6d0d3b4a16d1a26156163740069e0550b57e
SHA256 bda98b6bed56223a0792a09270ff3807a9b6e7450b188898c0e98ecc761e0045
SHA512 985d5bb26cba86543d97b58905a8c78ae4765b56097671d3e84da3b7d192176421c400b55f636f0a098da81f5ccff104f6362aaec6fb9cfe4eb20afd75ddd56a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cd5efecaef53eb0128485bbe2af53c54
SHA1 15416f034e4e08279dd0720e8156c48eff64155e
SHA256 8289551a18705adb749d9e9742680c9bd4a6aea2f32e307364f4fe10b5f3a798
SHA512 0c4954b0538c8ddeee3998fd66bb8ab8bdb8cb4d515e6baabf08e34af687766d1f467af4309a58b2ee2bf8de26f659d7c89f9fce69faf1ff485c8073ce050709

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 62bc8f5a6215e2d0aef22a1165ff1510
SHA1 6df62c8119792e12a52a8899481cf9a19cad872b
SHA256 238f125a37ee3e26867e416debfdbbbcf0065067e6a8ba8501dc5e41adbe04bb
SHA512 e515c1a66ba4ced7324585eb47dcc248ecccf71213777303b1b22a877cd665f8b3c035c1a65a693188e5ea6d113113e09b076ed77bdc1624dafebe1b02e2dde9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eae504dbeb4f0a8592a261e0b6ac8263
SHA1 de218225460c810d1ccdbc0f26916917435bb511
SHA256 cadfb36d067876176146414fc8798c747d9849a279ff9b86cc09d1afe2f7643e
SHA512 910852a251f748faee455ae9120457c6cda1811a046f6ddae2730ed014d51f232713fb3bb63755fb2964e37a21eac44a73a76feab20b0a50f91ffa745f36e31e

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 cfc499f22c9954eb3429e510c11050f6
SHA1 d4559c33f56f34733d167fd4d0a64762a1cfba2f
SHA256 109811a4bb8353de78b23a9a938766857ea24590bdb30ca10a67fa0d9004e15d
SHA512 3a64ed71f69bd23a138ae7cbee469bae6dd79039042ec470b48515185d11657b4046aedfc5173ade89572eb16ecafc379fbec22eee506c491b631399613b23d1

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 7f600087a002922ec377eaf192284f61
SHA1 dbc662ac69cf46eed78c1c0d1d25e713c72522eb
SHA256 01727e30891774a4738c6b17ef5f61c260b6798b45d38c83348af104dc87b407
SHA512 6b92b2d806f694f8368659909166bb923ac84599d1be99a91700f8ada714e0e94ff26658216b957356528174fc6689aab9ed69f3ab7c01000e6337079df6c26b

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 8e5cfe1e52ec165b665c7095a9d5b602
SHA1 18485032b934dd146c33661304d581188075f581
SHA256 308600799a8b4506594269a65ac97d4dec273d5e44f3bd399fd042d11f0b1cdb
SHA512 02fc401be620e8308286fa48a9ae8e11a5a89f3694c58786dd849a313a07adf8c5fffa10856890e3dbe22cba187f1d699622b96d35db7ca7d77f53707c30d95f