Analysis Overview
SHA256
6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd
Threat Level: Known bad
The file LDPlayer9_ens_1001_ld.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Possible privilege escalation attempt
Creates new service(s)
Modifies file permissions
Checks installed software on the system
Launches sc.exe
Loads dropped DLL
Executes dropped EXE
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Runs net.exe
Opens file in notepad (likely ransom note)
Modifies registry class
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 22:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 22:05
Reported
2024-03-21 22:10
Platform
win11-20240221-en
Max time kernel
92s
Max time network
207s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Creates new service(s)
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ReasonLabs\EPP\uninstall.ico | C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe | N/A |
| File opened for modification | C:\Program Files\ReasonLabs\EPP\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1001_ld.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.0.308419672\1502400942" -parentBuildID 20221007134813 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {090dfe5a-2044-4f1f-8de2-1379a14b5875} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 1856 257b0fd6658 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.1.807468064\1905529515" -parentBuildID 20221007134813 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcb8c57d-beb1-4390-8e8a-a56162e18f54} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 2252 257a4fe2158 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.2.784486280\466958520" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c702474-7bca-46c7-a20a-15258bc4cdc9} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 3004 257b0f5b758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.3.77676369\107666190" -childID 2 -isForBrowser -prefsHandle 936 -prefMapHandle 928 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {344d3e6e-fdd1-4b42-9099-b8f360af489a} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 1392 257a4f61f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.4.499154881\1970499801" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36fa28a3-3743-430d-8e84-e2a95cbdf8ca} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 4784 257b51f0758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.5.750373661\457467406" -childID 4 -isForBrowser -prefsHandle 4812 -prefMapHandle 5116 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82047441-1e84-4ed5-9e23-9ae45069d017} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5132 257b81ec158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.6.1268137637\1008957409" -childID 5 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3665f2a1-8aa4-4454-a540-c4f874d508ee} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5260 257b84b3f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4212.7.1725746440\1072110083" -childID 6 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab1f6352-ec3f-4c7a-9cc7-1d6f52576aa7} 4212 "\\.\pipe\gecko-crash-server-pipe.4212" 5460 257b84b2758 tab
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=f77dd757b1d4a6c918c7f74c119f29c35f401c2e&dit=20240321220720546&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe
"C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe" /silent
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe" /silent
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91082 PaidDistribution=true saBsiVersion=4.1.1.818 CountryCode=GB /no_self_update
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=131684
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\dismhost.exe {B5BDA299-25EA-4F9C-BF94-8C47AA74B0A2}
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnlockCompare.bat
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
C:\Program Files\McAfee\Temp4028823192\installer.exe
"C:\Program Files\McAfee\Temp4028823192\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\\dnplayer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004B4
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda0453cb8,0x7ffda0453cc8,0x7ffda0453cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2028 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7695106699313516926,5908627029909041939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
Network
| Country | Destination | Domain | Proto |
| CH | 18.165.185.97:443 | d3n1ms4uhtqgov.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.185.165.18.in-addr.arpa | udp |
| CH | 13.224.98.99:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| CH | 13.224.98.99:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| CH | 18.165.183.15:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | 219.184.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.185.165.18.in-addr.arpa | udp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| GB | 184.25.204.41:443 | tcp | |
| GB | 92.123.128.169:443 | r.bing.com | tcp |
| GB | 92.123.128.169:443 | r.bing.com | tcp |
| GB | 92.123.128.169:443 | r.bing.com | tcp |
| GB | 92.123.128.169:443 | r.bing.com | tcp |
| GB | 92.123.128.169:443 | r.bing.com | tcp |
| GB | 92.123.128.169:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 44.230.91.85:443 | shavar.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| N/A | 127.0.0.1:49804 | tcp | |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| N/A | 127.0.0.1:49810 | tcp | |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 104.22.0.235:443 | shield.reasonsecurity.com | tcp |
| CH | 13.224.98.99:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 34.214.100.62:443 | analytics.apis.mcafee.com | tcp |
| US | 104.22.0.235:443 | shield.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 62.100.214.34.in-addr.arpa | udp |
| GB | 104.91.71.143:443 | sadownload.mcafee.com | tcp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 216.239.32.178:80 | www.google-analytics.com | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 34.214.100.62:443 | analytics.apis.mcafee.com | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| GB | 104.91.71.143:443 | sadownload.mcafee.com | tcp |
| CH | 13.224.103.125:443 | update.reasonsecurity.com | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| CH | 13.224.103.75:443 | electron-shell.reasonsecurity.com | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| CH | 13.224.103.50:443 | cdn.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | sadownload.mcafee.com | udp |
| GB | 104.91.71.133:443 | sadownload.mcafee.com | tcp |
| GB | 104.84.78.57:443 | tcp | |
| US | 8.8.8.8:53 | 133.71.91.104.in-addr.arpa | udp |
| US | 34.214.100.62:443 | analytics.apis.mcafee.com | tcp |
| GB | 104.84.78.57:443 | tcp | |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| US | 34.194.192.31:443 | track.analytics-data.io | tcp |
| GB | 104.91.71.133:443 | sadownload.mcafee.com | tcp |
| GB | 104.91.71.133:443 | sadownload.mcafee.com | tcp |
| US | 172.64.149.23:80 | crl.sectigo.com | tcp |
| US | 172.64.149.23:80 | crl.sectigo.com | tcp |
| GB | 184.25.204.41:443 | tcp | |
| GB | 104.91.71.143:443 | sadownload.mcafee.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 92.123.128.169:443 | r.bing.com | tcp |
| GB | 92.123.128.169:443 | r.bing.com | tcp |
| US | 216.239.32.178:80 | www.google-analytics.com | tcp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 172.64.149.23:80 | crl.sectigo.com | tcp |
| US | 8.8.8.8:53 | en.ldplayer.net | udp |
| US | 8.8.8.8:53 | ad.ldplayer.net | udp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| US | 163.181.154.241:443 | en.ldplayer.net | tcp |
| CH | 13.224.103.35:443 | ad.ldplayer.net | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| US | 163.181.154.215:443 | advertise.ldplayer.net | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| US | 163.181.154.215:443 | advertise.ldplayer.net | tcp |
| US | 216.239.32.178:80 | www.google-analytics.com | tcp |
| CH | 13.224.103.78:80 | apien.ldmnq.com | tcp |
| US | 163.181.154.242:443 | en.ldplayer.net | tcp |
| US | 163.181.154.242:443 | en.ldplayer.net | tcp |
| US | 8.8.8.8:53 | cdn.ldplayer.net | udp |
| US | 8.8.8.8:53 | cmp.setupcmp.com | udp |
| CH | 13.224.103.85:443 | cdn.ldplayer.net | tcp |
| US | 104.26.4.6:443 | cmp.setupcmp.com | tcp |
| US | 104.26.4.6:443 | cmp.setupcmp.com | tcp |
| CH | 13.224.103.78:443 | apien.ldmnq.com | tcp |
| US | 8.8.8.8:53 | 42.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.103.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.103.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.4.26.104.in-addr.arpa | udp |
| NL | 142.250.179.206:443 | www.youtube.com | tcp |
| NL | 142.250.179.206:443 | www.youtube.com | tcp |
| US | 104.26.4.6:443 | cmp.setupcmp.com | tcp |
| NL | 142.250.179.206:443 | www.youtube.com | udp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| CH | 18.165.183.124:443 | encdn.ldmnq.com | tcp |
| NL | 142.250.179.142:443 | www.youtube.com | udp |
| NL | 142.250.179.150:443 | i.ytimg.com | tcp |
| US | 104.18.31.49:443 | stpd.cloud | tcp |
| US | 104.18.31.49:443 | stpd.cloud | tcp |
| CH | 13.224.103.78:443 | apien.ldmnq.com | tcp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| NL | 216.58.214.14:443 | apis.google.com | tcp |
| CH | 18.165.183.31:443 | apien.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 150.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.31.18.104.in-addr.arpa | udp |
| SG | 8.219.223.66:443 | usersdk.ldmnq.com | tcp |
| SG | 8.219.223.66:443 | usersdk.ldmnq.com | tcp |
| NL | 142.251.39.98:443 | www.googletagservices.com | tcp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.250.179.198:443 | static.doubleclick.net | tcp |
| NL | 172.217.168.202:443 | jnn-pa.googleapis.com | tcp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| NL | 142.250.179.193:443 | yt3.ggpht.com | tcp |
| NL | 216.58.214.14:443 | apis.google.com | udp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | udp |
| NL | 172.217.168.202:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 198.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.214.58.216.in-addr.arpa | udp |
| NL | 142.250.179.130:443 | securepubads.g.doubleclick.net | tcp |
| NL | 142.250.179.130:443 | securepubads.g.doubleclick.net | tcp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| CH | 13.224.103.126:443 | tagan.adlightning.com | tcp |
| CH | 13.224.95.222:443 | c.amazon-adsystem.com | tcp |
| CH | 13.224.103.126:443 | tagan.adlightning.com | tcp |
| GB | 104.91.71.133:443 | sadownload.mcafee.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | 7d5d3e2fcfa5ff53f5ae075ed4327b18 |
| SHA1 | 3905104d8f7ba88b3b34f4997f3948b3183953f6 |
| SHA256 | e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4 |
| SHA512 | e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589 |
memory/3240-12-0x0000000005BD0000-0x0000000005BE0000-memory.dmp
memory/3240-16-0x0000000005E20000-0x0000000005E34000-memory.dmp
memory/3240-17-0x0000000073B50000-0x0000000073B64000-memory.dmp
memory/3240-18-0x0000000073290000-0x0000000073A41000-memory.dmp
memory/3240-19-0x0000000008410000-0x00000000089B6000-memory.dmp
memory/3240-20-0x0000000008000000-0x0000000008092000-memory.dmp
memory/3240-21-0x0000000009310000-0x0000000009354000-memory.dmp
memory/3240-22-0x00000000093F0000-0x000000000948C000-memory.dmp
memory/3240-23-0x0000000009490000-0x00000000094F6000-memory.dmp
memory/3240-24-0x0000000009A30000-0x0000000009F5C000-memory.dmp
memory/3240-25-0x0000000007FD0000-0x0000000007FDA000-memory.dmp
memory/3240-26-0x0000000005BD0000-0x0000000005BE0000-memory.dmp
memory/3240-27-0x0000000005BD0000-0x0000000005BE0000-memory.dmp
memory/3240-37-0x0000000073290000-0x0000000073A41000-memory.dmp
memory/3240-38-0x0000000005BD0000-0x0000000005BE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\50098b9a-bf24-4f00-b5d3-7aa66794d07d
| MD5 | 09c8390f4629826298e5d54bf94c5eb8 |
| SHA1 | 144418e915a7aaeb645e2d925227c16fa072a28b |
| SHA256 | fdf12540353d4b541522788f83b67fe559fdf7e67eaff30fd5a493e76dfd2aa3 |
| SHA512 | ef9edc09424e958bc3e082d9be702ce87a6cb843965d9552dcc2e4b4df6c61b152a2d5924c6288eeee57d363f792280fb2b16695c96c3a8fc5fb17d19b703aeb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\a4dd6a5f-bb29-43cb-8789-381df8d982db
| MD5 | 938d4a526ee440d02fbff0a7d7031c90 |
| SHA1 | f50e5a4c6b7f2e83ec7507f6412e20e2e553ace4 |
| SHA256 | 64e749a883ad1d3835e74c4124d8804b2bf8f14601598710f92482754bf46733 |
| SHA512 | 74f0e047ce34112d91ab5b82edfea4a602ab43afa3af2d88e3df3b8b5146fe1ee987f51a583212bfc7d5256eb6941a86c2553e2799078241987f2b8c6c3d8530 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 3719ecea7b6de2fea0a8f5f83bca70d8 |
| SHA1 | 434afd695d29f9b398900b94a6cfa25c0da1ca10 |
| SHA256 | 095edc1432140fa3587979f2d53b3a29683cd06bc66e965ec594d4a5bba48276 |
| SHA512 | 6ba3d8240369e1dcb396d3c6100650a59327bd88de8dc2679ef384438b969aa8afdcba49917c2158daab0911ca9d7ed0532058d21adfa48ba61b06d4b265cf07 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js
| MD5 | 908eb59849b915082dac5d628fd53150 |
| SHA1 | 25f46f899920653dc59f9631255e08fc7a47d9d5 |
| SHA256 | 7606f1c0ebfe813492f56ecf3ecc42f5a537cc239046eabc595844e26d2f0f0b |
| SHA512 | ce6813b1d87df53f4e990da5aa67f3dfeff91da6f3ef26be8f0dc61c2518d1c07e62db48bf65f59a17d1a5bd3a5c82debcf95be04858fef9875fa9ff0f0e3804 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js
| MD5 | 388ab23e6b23f5749c55c29ec159b8dd |
| SHA1 | 0a8956d3e500edc6bf8254edcf9ccfc31981618e |
| SHA256 | 61ce83925eea13e091d52c0d99688d103880c00a215ad523c720a9214917d813 |
| SHA512 | b056922d197f4c8314d4197cf28c26501553d5f123682fe849169ccf1d11460fc1dee2ec929086209a02a0f4ee72ab7fca6a2aa2f18a01d668e22a2422e25d65 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c8774b9776b045f737fb097ccc56a879 |
| SHA1 | abdfec3c0d95b77fe4fc69306943baac4a334763 |
| SHA256 | 87fd8986a380175ec17987b3f08b74c5870175f1d4a925d5c6422bbefcecf194 |
| SHA512 | 32b504a7714dd8449a10f8f3f98fe7535394191799b83adac44ec18f3c6ef44e28364a148b948a46c33ce3a07e51365eccaab7b5469cad29ad34882f273efdce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js
| MD5 | 86d335f0c1f8256fd67b577f27bdf307 |
| SHA1 | a741431374194c720fff09c50662fd58e244c5a8 |
| SHA256 | 7710fc0b31ee9f96d8346655e3fd5dbdd0f2654547af3d18d312640e52435dcf |
| SHA512 | 1043e69507a3718a9d368bb53eee7a82b9d2efb82c8b4eede696e0b5a5878cad080dcc771746ae0f0e458474ae6deaaf4f38db23d6bbb950a1131070b7d1ea4c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js
| MD5 | 409238f03adf1cb6162e7f143712cc4a |
| SHA1 | 1ba15f6cbc6aef8f5cacd3e3cb5ec759c75de96c |
| SHA256 | f303cc077e5ed1b4d90c569602dfd178e6e166a28b45cee97403c50fe2760da3 |
| SHA512 | 4cbb95a25f54f57e7f056f6a912bb7915d604730b41ce0dc375b212ce4170c1a174074120b4836d077a4aabd18430dce57827d927c1b532cce20737308f8347f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore.jsonlz4
| MD5 | f4d29b3d8d93577d6987004ffa7ab10e |
| SHA1 | ce78f413dcfe67e166b8793d0550ceb0a52b5489 |
| SHA256 | 29c87cd4afd0c237d21d784653873f7e9249de0ca3b31604f09f69349c3e7393 |
| SHA512 | a814a8c7157a50f02d62b8b9787a2d34f7e4c8cf0aa516528f0f868399c7b43f15129cc2f72ac0c4f00014ab9d552e9becf7affafa4d6859b3c2eb5e42408b39 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionCheckpoints.json.tmp
| MD5 | 948a7403e323297c6bb8a5c791b42866 |
| SHA1 | 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0 |
| SHA256 | 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e |
| SHA512 | 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a |
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
| MD5 | bb7cf61c4e671ff05649bda83b85fa3d |
| SHA1 | db3fdeaf7132448d2a31a5899832a20973677f19 |
| SHA256 | 9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534 |
| SHA512 | 63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab |
memory/5300-230-0x0000018E00240000-0x0000018E00248000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
| MD5 | 3e8d94bd3374ac5872a522eacdb2c5a8 |
| SHA1 | 7a5dc0382665b5af03899ee0c6a5b23119bae87d |
| SHA256 | d0a001f11de86edb6dfa30d4aa6a04ebe356bc59f92fe1baeea8cd3c3d112ee7 |
| SHA512 | aecf144434fa3e21621db3dfc1d4c435a99e4bf4b820836746c1039114be4c16f6436504f1f6fadff9ac4aa1477ebfe2fbd249e68547bce3d1b51558906d38e6 |
memory/5300-231-0x0000018E1ABD0000-0x0000018E1B0F8000-memory.dmp
memory/5300-232-0x00007FFDA6860000-0x00007FFDA7322000-memory.dmp
memory/5300-233-0x0000018E1A7E0000-0x0000018E1A7F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2jstkvnw.exe
| MD5 | 1fbe1bb0ca5fc21a4a22de67338b0c7e |
| SHA1 | 3e0936c34f0c1d9a0b5d831f1fa86718c8edfd97 |
| SHA256 | 45dc6a6286d3496de8b6045d9021e5185af9d5af9236968e5eca87ea6d5621ec |
| SHA512 | d0fcecc536088449797f67d2442be19d80f6147e8d66fd29f1c401a84185aeb0f2819ec8b4e6c06ac4e6de4c84d740fdbfa2b546f2bb6049dbe36358561bd815 |
C:\Users\Admin\AppData\Local\Temp\nszA93C.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\RAVEndPointProtection-installer.exe
| MD5 | 41a3c2a1777527a41ddd747072ee3efd |
| SHA1 | 44b70207d0883ec1848c3c65c57d8c14fd70e2c3 |
| SHA256 | 8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365 |
| SHA512 | 14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869 |
memory/5720-307-0x00007FFDA6860000-0x00007FFDA7322000-memory.dmp
memory/5720-308-0x00000259C0FD0000-0x00000259C1058000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\rsStubLib.dll
| MD5 | a16602aad0a611d228af718448ed7cbd |
| SHA1 | ddd9b80306860ae0b126d3e834828091c3720ac5 |
| SHA256 | a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a |
| SHA512 | 305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511 |
memory/5720-310-0x00000259C2DA0000-0x00000259C2DE0000-memory.dmp
memory/5720-312-0x00000259DB4B0000-0x00000259DB4E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\rsLogger.dll
| MD5 | 83ad54079827e94479963ba4465a85d7 |
| SHA1 | d33efd0f5e59d1ef30c59d74772b4c43162dc6b7 |
| SHA256 | ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312 |
| SHA512 | c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1 |
memory/5720-317-0x00000259DB5A0000-0x00000259DB5B0000-memory.dmp
memory/5720-320-0x00000259DB5B0000-0x00000259DB5EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\rsJSON.dll
| MD5 | f8978087767d0006680c2ec43bda6f34 |
| SHA1 | 755f1357795cb833f0f271c7c87109e719aa4f32 |
| SHA256 | 221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e |
| SHA512 | 54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955 |
memory/5720-318-0x00000259C2D70000-0x00000259C2D71000-memory.dmp
memory/5720-321-0x00000259C1470000-0x00000259C1471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\rsAtom.dll
| MD5 | 9deba7281d8eceefd760874434bd4e91 |
| SHA1 | 553e6c86efdda04beacee98bcee48a0b0dba6e75 |
| SHA256 | 02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9 |
| SHA512 | 7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306 |
memory/5720-323-0x00000259DB5F0000-0x00000259DB61A000-memory.dmp
C:\LDPlayer\LDPlayer9\LDPlayer.exe
| MD5 | 9cb68d362c41827e38fed4b355a16500 |
| SHA1 | 7646cb57fe5449339bce79de9479e7c7f15158f9 |
| SHA256 | fcd79aad3ee0bddd5a0be3aebea15f51e225f55959897bcbce18bbe806b0cb97 |
| SHA512 | dcf97cf0e7c88f0620206957dbc8cda772bbe4565e31825581172c5fea25bc1b2f033db7dbe4d3860cc8b800943e62ac58f6bd92d44d477d1734693a689d12e9 |
C:\LDPlayer\LDPlayer9\LDPlayer.exe
| MD5 | f487389f04bf2facbf752318bafff6e2 |
| SHA1 | b02ae5a0cb0deb28b3552cad3b3e7dccda5781d2 |
| SHA256 | 0f72528cb36c7cfcb6fb22783b81bd83b08ecbb72040d1d3637a46ff1c589dfe |
| SHA512 | c6cc724b2f79428cbeaa801d6f54fef3507ce4976e34a20d8baf238ff82879895ba44c0c51c066f086a1a883cb34006b38edadd532e568b42380265197fa9355 |
memory/5720-327-0x00000259C1490000-0x00000259C1491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\Microsoft.Win32.TaskScheduler.dll
| MD5 | a09decc59b2c2f715563bb035ee4241e |
| SHA1 | c84f5e2e0f71feef437cf173afeb13fe525a0fea |
| SHA256 | 6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149 |
| SHA512 | 1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b |
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\uninstall.ico
| MD5 | af1c23b1e641e56b3de26f5f643eb7d9 |
| SHA1 | 6c23deb9b7b0c930533fdbeea0863173d99cf323 |
| SHA256 | 0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058 |
| SHA512 | 0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4 |
memory/5720-332-0x00000259DB910000-0x00000259DB968000-memory.dmp
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
| MD5 | ded746a9d2d7b7afcb3abe1a24dd3163 |
| SHA1 | a074c9e981491ff566cd45b912e743bd1266c4ae |
| SHA256 | c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3 |
| SHA512 | 2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b |
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
| MD5 | 143255618462a577de27286a272584e1 |
| SHA1 | efc032a6822bc57bcd0c9662a6a062be45f11acb |
| SHA256 | f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4 |
| SHA512 | c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9 |
C:\LDPlayer\LDPlayer9\msvcr120.dll
| MD5 | 814a24f351af5c60025d998b740c65c8 |
| SHA1 | 025a910474eaabdf6cc14f40a107596cdd508eac |
| SHA256 | 109818b3a438f257e95d06a2d14c1370d0318a8f53dd4f0168ebda6e65731b69 |
| SHA512 | 9a8ab5b02628ac4d2cb63055925a4e839748acc097de1ca5090700f5e73917ccbae75ef5235341906db0f0dec286ed414cadef4afa8153efa6b1a21e47aa5872 |
C:\LDPlayer\LDPlayer9\MSVCR120.dll
| MD5 | fa86edfcafa1385e75f5e4c3a80052f5 |
| SHA1 | 9731ea43b933b1b2d8bfdf1bd6ec929c67efe17a |
| SHA256 | ab1d341dd3827add54a7eef30bbfb72a6761a41fbd40100ea218c44a83960698 |
| SHA512 | ab4da39bd9fc50938c170476126c5b8e3a1b5b042ebff1294baffdf4b122b3d18d8ce33b9815170e626bbf96073543fa6d911bb4ad94cd57af3501dcecb1f8c9 |
C:\LDPlayer\LDPlayer9\msvcp120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
C:\LDPlayer\LDPlayer9\MSVCP120.dll
| MD5 | e7ccf2de8dd966aac85175015aa260ff |
| SHA1 | 1d54b23554403bd4d283a706b855890d30ac8b7a |
| SHA256 | bde6654d7f0cdeca2057f508816da79833612ce6c55b082aed203b5a239aa3b0 |
| SHA512 | 1dbee4b7125face0a5d9c7f39e84f1e7841fe7f17d1019c15be1ba536998256800bf017037fac3a8f276c23dc94167ae61e2df42c26796ca579c75746c9bf63a |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 24d726cc9b64209b59c527a4b7533051 |
| SHA1 | 63c1f7dbc732645f90ffacbdfdb7483570a4824e |
| SHA256 | b452af56f5563b435e5c9ecf0f65e32ccc219eadafb221c268ccc593865d17f7 |
| SHA512 | da53366b67fcb41f8f1ff36bbb98f8f5c7c1e97ca123ffedbb0e7019a6c1402c0988487c052679fc867d22c957e4a9d6f82304fabf98e3a0660c624d1c1578fe |
C:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | 447abfde32c41573dc5bf02c29aa3956 |
| SHA1 | f6509344c772143900195f28727630e85057c77a |
| SHA256 | ffbb0bf6bb56e4a2b0aa80de9ec5ae7794e009620938414c9be07fb300c50ff3 |
| SHA512 | ffb9026b8ef40c2702693cefb5fa1ea539044521f84fc214f943a69ecfa717185e3dec3a09d2ab17f8fecdb4fd8c9b94f59fd9c5a8770933ac2550d839bc4f4b |
C:\LDPlayer\LDPlayer9\crashreport.dll
| MD5 | ab2970e1128ad247ad84c88270f1208c |
| SHA1 | 7efb9bde29794270d6bc2688ce2d1304bc95771f |
| SHA256 | 3734164dd3de192b57290890e7c98a50d39038dcb94f870c0269af5a7b97a978 |
| SHA512 | 3f616db170d8297f47a35770d737a20bfc8fc280ccd04b57f95b8fb27576d36fa8b9f604547c4d91bec2470a4e89ecfbf3f528977cde1a2930ea8891ba3f758a |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 646407cb1fd994aad9e2cfb189e0f4f2 |
| SHA1 | 217eb3f0cafc99db968d7799a79387c4b7d8f3b2 |
| SHA256 | 611002ab14db3f55593da54d3529a3e6279c7d87fb3b1316a3259fd091dcb5bd |
| SHA512 | 1fd304c88c71a19fd23b3b18b545988a9fbfeb3193d574c6974ce62c7686b2e216e6c27413dca20741ce92a524865c86baf7b38a03b39a5ef69c3c2f0600dd13 |
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
| MD5 | 4aa39c9dbf635d33c81757bdf62617e3 |
| SHA1 | 8bf8fee70126db805c38648a315c34f94edfb94e |
| SHA256 | d69cd1c4cfa063ca25c9d8629e01c045f279fed7daed6f49a06bf5f09f44a21c |
| SHA512 | 3ffce45e4f7c4dc57f7d0039aa04bb5a2c3bcdfe5363b5385f626f3359cc087582f5af8838f62cec4463e37d88318479e0aeb2e6944170985fe757a528ea2424 |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | 63442c561ca895822df0d4d1d82717b8 |
| SHA1 | c7aca9bd2b2ac0b59091829bf5cdcb2784c39493 |
| SHA256 | 714d65523115f6daf90fc76e9a43e4dab43719242c7a220cc2cd7d3983469443 |
| SHA512 | 8e48b539bb0993fe2e8d069f148b892f872f8a6832b49b985456447dac7e9a432a686c03f7c0e666080d561c783e672c021b12b4e2380e602525ed88102277f5 |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | cec3ea83ffe1bcb7d9a776b7cb305215 |
| SHA1 | 9d1a817802e38351ddf77815e5bf372397f85992 |
| SHA256 | 21b9df1484ef82f2cd4fb21811c239188690faab33ed08f97e5856dd4424ad4d |
| SHA512 | 8dad20f909041236e32cfc000a1c9cec5108f1b1b9ff1b394f664a2d5bf35dd1434bffc649a4dfe873c43a8019c1fd0412fb75ffe23b2f63151d358bdc2153ec |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | 9f5a34555216a59ec9a4058960ffd31b |
| SHA1 | 63f29bd3bb8d96b5a468f6df5b9e5698b460370c |
| SHA256 | f21b524f336f3e2313ca3466071cba03fed986731daf3f77b9ac17900698815a |
| SHA512 | c8c963e03e3a4a2b21d36608814c2e4bb07c3a303aef1fb4348e1b5075aa235fa942cfddcc16f907d35165d355ab29211d3b9f4c8f1cb8e7539348e8309fbe3c |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\DismHost.exe
| MD5 | 17275206102d1cf6f17346fd73300030 |
| SHA1 | bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166 |
| SHA256 | dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6 |
| SHA512 | ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3 |
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt
| MD5 | 864aac1ad87391c05f0f205655dfc5d2 |
| SHA1 | 1307a834acb4592f01e949c9cf4b277d8e32ce9c |
| SHA256 | f9d66e16b22b6cd83e54413b3b16ef3c188267c2e697fd4b57d2ee2dac8a4133 |
| SHA512 | 1d6edbe8cb6af9af704b47518c31a44525faa758b7dcb840c4ab26b876b1f5853f7f1517d7ec7d0872335487221e2f678ad2c99828fb930a156b52cb8c2f7be2 |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\DismCorePS.dll
| MD5 | 7f751738de9ac0f2544b2722f3a19eb0 |
| SHA1 | 7187c57cd1bd378ef73ba9ad686a758b892c89dc |
| SHA256 | db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc |
| SHA512 | 0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\DismProv.dll
| MD5 | 2ac64cc617d144ae4f37677b5cdbb9b6 |
| SHA1 | 13fe83d7489d302de9ccefbf02c7737e7f9442f9 |
| SHA256 | 006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44 |
| SHA512 | acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7 |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\OSProvider.dll
| MD5 | e9833a54c1a1bfdab3e5189f3f740ff9 |
| SHA1 | ffb999c781161d9a694a841728995fda5b6da6d3 |
| SHA256 | ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85 |
| SHA512 | 0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9 |
C:\Windows\Logs\DISM\dism.log
| MD5 | faa6037dd189e776ab87f1f9428e553f |
| SHA1 | be8d403cc80996752b1412da2f65e8bdd327c542 |
| SHA256 | 8e127bd55af6205862a04ad729bb94ecf3e443f494062f7c2d0607ac775d5b74 |
| SHA512 | cb0cc5368897becab36b2a347704024883341026a406a583976197d34074e310a52724b63e6282ece487811a03c8976b56912e583b2cea57727a99ec63f8039b |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\ServicingCommon.dll
| MD5 | 07231bdae9d15bfca7d97f571de3a521 |
| SHA1 | 04aec0f1afcf7732bc4cd1f7aab36e460c325ba6 |
| SHA256 | be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935 |
| SHA512 | 2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129 |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\WimProvider.dll
| MD5 | bcf8735528bb89555fc687b1ed358844 |
| SHA1 | 5ef5b24631d2f447c58b0973f61cb02118ae4adc |
| SHA256 | 78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c |
| SHA512 | 8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5 |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\ProvProvider.dll
| MD5 | 2ef388f7769205ca319630dd328dcef1 |
| SHA1 | 6dc9ed84e72af4d3e7793c07cfb244626470f3b6 |
| SHA256 | 4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf |
| SHA512 | b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\Ffuprovider.dll
| MD5 | a41b0e08419de4d9874893b813dccb5c |
| SHA1 | 2390e00f2c2bc9779e99a669193666688064ea77 |
| SHA256 | 57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3 |
| SHA512 | bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\Vhdprovider.dll
| MD5 | 8a655555544b2915b5d8676cbf3d77ab |
| SHA1 | 5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2 |
| SHA256 | d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27 |
| SHA512 | c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93 |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\ImagingProvider.dll
| MD5 | 4c6d681704e3070df2a9d3f42d3a58a2 |
| SHA1 | a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81 |
| SHA256 | f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137 |
| SHA512 | daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86 |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\TransmogProvider.dll
| MD5 | c1c56a9c6ea636dbca49cfcc45a188c3 |
| SHA1 | d852e49978a08e662804bf3d7ec93d8f6401a174 |
| SHA256 | b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf |
| SHA512 | f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\EdgeProvider.dll
| MD5 | c22cc16103ee51ba59b765c6b449bddb |
| SHA1 | b0683f837e1e44c46c9a050e0a3753893ece24ad |
| SHA256 | eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b |
| SHA512 | 2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e |
C:\Users\Admin\AppData\Local\Temp\70053FC2-8A32-4B15-82C2-CA033AD80824\LogProvider.dll
| MD5 | c63f6b6d4498f2ec95de15645c48e086 |
| SHA1 | 29f71180feed44f023da9b119ba112f2e23e6a10 |
| SHA256 | 56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde |
| SHA512 | 3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc |
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
| MD5 | 2930840239b2e57888e0aa0eb996e910 |
| SHA1 | 61a3f5e8465e46561e43b2aae7b5ba07188c7a4e |
| SHA256 | dc68a8073bc97fcd5b74bfd64ed6560e12fd469677bffed5668dda8a6daa9f24 |
| SHA512 | 57cbb9293ea940d5f83d93292cb6494fc6ee5ad67608a4175d82ffc3b37ba8c75702961e3624f79408cce689dfa4fcab39016ef991eaa77932d704761233a4aa |
C:\Windows\Logs\DISM\dism.log
| MD5 | ff4a4a3beb8962980b3027db10fe743d |
| SHA1 | 67e8d1e51ab4339f6d9a2bdf7804c33d831ef5fd |
| SHA256 | c5678317ba581d7d83133d02db416b49cba4402d33ea065b006a3bd6466c1811 |
| SHA512 | 8656a7235561437a510e27439e2f8b44731fc8007951157d84ac653fc31e78305044700ffd297303484d1ecf4a28781da0a321805c22ed10084d86788715c33b |
memory/1608-959-0x00007FF77D330000-0x00007FF77D340000-memory.dmp
memory/1608-967-0x00007FF77D330000-0x00007FF77D340000-memory.dmp
memory/1608-993-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp
memory/1608-1036-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp
memory/1608-992-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-983-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1075-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1063-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1076-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp
memory/1608-1133-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1171-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1176-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1180-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1214-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1247-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1223-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/5300-1293-0x00007FFDA6860000-0x00007FFDA7322000-memory.dmp
memory/1608-1292-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1312-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1303-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1393-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1369-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1396-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1372-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1410-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1451-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1316-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1276-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1272-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1778-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1813-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1814-0x00007FF77D330000-0x00007FF77D340000-memory.dmp
memory/1608-1815-0x00007FF77D330000-0x00007FF77D340000-memory.dmp
memory/1608-1209-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1841-0x00007FF77D330000-0x00007FF77D340000-memory.dmp
memory/1608-1835-0x00007FF77D330000-0x00007FF77D340000-memory.dmp
memory/1608-1164-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1861-0x00007FF76AF20000-0x00007FF76AF30000-memory.dmp
memory/1608-1871-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp
memory/1608-1873-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1869-0x00007FF779D30000-0x00007FF779D40000-memory.dmp
memory/1608-1876-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp
memory/1608-1872-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp
memory/1608-1880-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp
memory/1608-1868-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1864-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp
memory/1608-1870-0x00007FF76AF20000-0x00007FF76AF30000-memory.dmp
memory/1608-1867-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1866-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1849-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1860-0x00007FF779D30000-0x00007FF779D40000-memory.dmp
memory/1608-1859-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp
memory/1608-1857-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1852-0x00007FF71A1A0000-0x00007FF71A1B0000-memory.dmp
memory/1608-1851-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1161-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1142-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1123-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1106-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1070-0x00007FF774540000-0x00007FF774550000-memory.dmp
memory/1608-1034-0x00007FF77E770000-0x00007FF77E780000-memory.dmp
memory/1608-1031-0x00007FF766C70000-0x00007FF766C80000-memory.dmp
memory/1608-1051-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp
memory/1608-1014-0x00007FF7329B0000-0x00007FF7329C0000-memory.dmp
memory/1608-1012-0x00007FF774540000-0x00007FF774550000-memory.dmp
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
| MD5 | b61e94bccbf70547f1c095c136c5b893 |
| SHA1 | c68e63a7b2a3484cfd56bbce7d23e2b677e5ec26 |
| SHA256 | 65acc657378c1aaa4a3ce763272539a61e29de39d7dab88f7b3aba8ebb6f25ca |
| SHA512 | 242980ffd5c5135847a44e8a3d1959ed34372d7cc72d82590aaeff220ef27d0f1fe3810e902fbeded791fcd5c2364d2b4e2ca51bee1799ecf92343340b86db5a |
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
| MD5 | 667f58966983c2ed22ce69c4f1b51152 |
| SHA1 | 2d6792f5d2498510d1f9d2914de9d9c56faeba57 |
| SHA256 | deacd5d946d1c0df7811fc5a97c89b8c197f134f2005b4db3f5ff7c8162fdced |
| SHA512 | 36b39396552ed484f9c7d18eb109c1c4cf920749289850092726774c6612bc1b3cc3fa03782e7bd41df968ba60492432601bb28e3903a8cf4dbfd93b903c88c8 |
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
| MD5 | a580a8daab3c6a924f69fb703bebb137 |
| SHA1 | 7deedc489632e50f1094f8a7c12e0470d30af5c8 |
| SHA256 | 247df49fba2b96b3fba616ea96f215f33e3383e16ab10948f1d52839a1d7717a |
| SHA512 | 0a3cb39c4fc4ec95d38dd3001b0de2079f3c92e3cabf40a8ea58ef7acaee8f31721df9b331540b9e75129fd6a24a2060f94fb62a208e678d11e939d4ac2b2564 |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 48f8bb1f399839c7c6531e17b73b95e2 |
| SHA1 | 2e9657f71181e8ffce19c42071df658d07a82561 |
| SHA256 | 9254d3f9463a77b9d2034c97607114fadede9f5cc609a0ff2abbb6e36c3d2f46 |
| SHA512 | e19dbeb8773f2a4e414144d7266e8c0c820c7d9a6da290b9c59dcfefcecdcc6979042fe001078f59f856c874ccbce95b58cbcf0ecf83ad0e911f0c6997c1b3dd |
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
| MD5 | a5295cc6836cdfbf93589e0f82161aef |
| SHA1 | 79c3b21a14d9b7d7a2284b792ebfdb7f9a313772 |
| SHA256 | 22b2b26177c58244337dec538a95df735cafd1dab6b3c1804c5cf5a03dbd765e |
| SHA512 | 8cc8fc9e3348d066d4e72933efdb1134fb6c3b5d603c2235b312621ea31dddf60dba26b9c8e8b6705dedecb7a3a84e7792929dd8cd95ceede992eeb1323970b7 |
memory/5300-2561-0x0000018E1A7E0000-0x0000018E1A7F0000-memory.dmp
memory/1168-2562-0x0000000002BB0000-0x0000000002BE6000-memory.dmp
memory/1168-2563-0x0000000073290000-0x0000000073A41000-memory.dmp
memory/5720-2566-0x00007FFDA6860000-0x00007FFDA7322000-memory.dmp
memory/1168-2567-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/1168-2565-0x0000000005610000-0x0000000005C3A000-memory.dmp
memory/1168-2564-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/1168-2786-0x0000000005C40000-0x0000000005C62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2mbzjp0i.0ob.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1168-2790-0x0000000005E10000-0x0000000005E76000-memory.dmp
memory/1168-2791-0x0000000005F10000-0x0000000006267000-memory.dmp
memory/1168-2793-0x00000000063A0000-0x00000000063BE000-memory.dmp
memory/1168-2794-0x0000000006460000-0x00000000064AC000-memory.dmp
memory/1168-2819-0x0000000007360000-0x0000000007394000-memory.dmp
memory/5720-2818-0x00000259DB5A0000-0x00000259DB5B0000-memory.dmp
memory/1168-2820-0x000000006E610000-0x000000006E65C000-memory.dmp
memory/1168-2829-0x0000000007340000-0x000000000735E000-memory.dmp
memory/1168-2830-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/1168-2831-0x00000000073B0000-0x0000000007454000-memory.dmp
memory/1168-2832-0x0000000007D40000-0x00000000083BA000-memory.dmp
memory/1168-2833-0x0000000007700000-0x000000000771A000-memory.dmp
memory/1168-2834-0x0000000007780000-0x000000000778A000-memory.dmp
memory/1168-2919-0x0000000007990000-0x0000000007A26000-memory.dmp
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
| MD5 | 9325d30c49e8c7f028c75e981cbe372b |
| SHA1 | 9183a89a3d12e0cb5c3cf6346e6d945ba192d460 |
| SHA256 | 724f3291e2dab8468f165e9feba751a272061a08b38a5466d5e62e4cb191c8d3 |
| SHA512 | 96fcdfdfc0160edcbebffd766967d6c3cbe59041bdc8f8cc372272a62926e6d4a29feef6fce3f5efc93722db3bb8e47304853f2ade368b8f5f4a8c550bc045a4 |
C:\Program Files\ReasonLabs\EPP\mc.dll
| MD5 | 51b7ae854dd15a3fea35e62c6ad02a81 |
| SHA1 | 2588d6117556af4a4d54c6fe5413d42903506348 |
| SHA256 | 12c69253a0448dcf3707b13d58fa83512c51fd19a62f734a46665821022a6b3c |
| SHA512 | 6341121ed27e6d26f2e7ac6e203ab322ea8bd1f1326f7deda650cc7cd7fe52b259bfc1f5f50f1244832541b4bca6ca15b24c14d6dc37ad6d0484fb06189dce3e |
memory/1168-3063-0x0000000007910000-0x0000000007921000-memory.dmp
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
| MD5 | bc54a9edc2333be36d0dd61a3bd4d0b8 |
| SHA1 | 1d78add512ccbdf8ff2b61e78a44c74539de93bb |
| SHA256 | e740c735445e11880ba9eb277e98f275c0dde379fe7110c8ef8e37cfbc46ebe1 |
| SHA512 | 1dc762bf815fc259d87774fd8fc5bcb2b76f3572d1064d29f5c4a0a07d9bf64529f7c3f88e3dfa053d3582ce75244384e0484d0a2dcdb33faf1ca4bf8374a63f |
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
| MD5 | 84b2b41c01f9bd684690e8f28f62d3ef |
| SHA1 | 9b850417c1588205f88a438bd73171c461f30ee6 |
| SHA256 | 31593aade3b89dbde7fa9286eb7d843ff9f2f3b4a814003684537f3e5d495405 |
| SHA512 | 0cc0ed57ecbb9add0086229b212405510b4cc3c1424a1f934a08841a1d022a2abed349b67fad3ab6087addc618f9374f2e0f1ac765d9d593a617da87662eccd5 |
memory/5720-3065-0x00000259DBD20000-0x00000259DBD70000-memory.dmp
memory/1168-3094-0x0000000007950000-0x000000000795E000-memory.dmp
memory/1168-3096-0x0000000007A30000-0x0000000007A4A000-memory.dmp
memory/1168-3212-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/1168-3233-0x0000000073290000-0x0000000073A41000-memory.dmp
memory/5844-3270-0x0000000002360000-0x0000000002370000-memory.dmp
memory/5844-3272-0x0000000002360000-0x0000000002370000-memory.dmp
memory/5844-3269-0x0000000073290000-0x0000000073A41000-memory.dmp
memory/5844-3282-0x0000000005600000-0x0000000005957000-memory.dmp
memory/5844-3403-0x000000007FC50000-0x000000007FC60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\d85da5b2\39f70169_dc7bda01\rsJSON.DLL
| MD5 | 0dafb2d6fa0141c6041b5ed60c985b71 |
| SHA1 | 2dabbfde1908850a45191a4812a90c27149b9a8f |
| SHA256 | 7461ffc8e5d7f3a44d4aa5eb55d632a20deaa6e36bfd8bb5412579d08f29bb0b |
| SHA512 | 772cbd3a42a417582db0213eccdd58dcc739cba8d09866749d4f99a201d2f6af9695fdffd5d8b3d86bea9fb3e0c9b8c50209760295f113951110d5f875e7f58c |
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\ea7ca16d\39f70169_dc7bda01\rsLogger.DLL
| MD5 | d47f70a3029d2ec39f314590be3a443d |
| SHA1 | 967dce350ce3795ca35345175c8850f991c86156 |
| SHA256 | 32e1c5dc6d61c4409d525b446eaadbcb16dbc4611fa5a0539624e710cd31568c |
| SHA512 | b33067a09e7d29cfc4dd162e19316bed5e02ea2a71bd68786daea6d0f7dd31d884e2a730dc0376702e2c4509b46e9b495c51ca6448b8b3af6d343a5efff7617e |
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\3bf791d8\6433fd68_dc7bda01\rsAtom.DLL
| MD5 | 6201ed501632589169335f0851ca9440 |
| SHA1 | eca7c84b94cd39d35c752f1265728062f1f0e750 |
| SHA256 | 009473efe1b6e3f8922c87fd2f5c8a82ec29ac158d2308a04f6a9fbe43a4e75f |
| SHA512 | 7a264bdde7165ff551a8f0079e1fbbca6cb4db8ba2c4dea3d7e9691c9c37a382e3d1c980b2e35f6470a94167be882739afe8bfe6e53265d32415b13c73ce5b6f |
C:\Program Files\ReasonLabs\EPP\rsEngine.config
| MD5 | 8d5da17cce79e4d5c656f70dde8d52f0 |
| SHA1 | e679d7a90a42b70c535558e8b6bae5f6756da930 |
| SHA256 | cb85b2b20abd9d2180e6ef707c163a634d7bc5b7a159412a3d9bfb998fe5965e |
| SHA512 | b7ba2a20bb3314f9f211e546d1c78d5191caa4cd149d64a6480432aaf73152023be9339094d2f6ee7a968e6f3e870b20613482d5d3e01f8afa5867bd9206d5d0 |
C:\Users\Admin\AppData\Local\Temp\nszA93D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\aad67f2d\da810b69_dc7bda01\rsServiceController.DLL
| MD5 | eaade2a045075e6d194e5b117e479afd |
| SHA1 | a82d4fa02932ea2b7ac8c66bcab023863080ad37 |
| SHA256 | 8d08a5a93cd324d989400d52ef7cf42b8ad775a93c639ba0c26b4461a7530d39 |
| SHA512 | 6190498ad51da769e967a8c381b61ff7575df3320b39566ce543ee53769f449646b48a80d2bcca71c7e8d5ad2368cb9742a58437b55c64c218fbb6cf641497a2 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
| MD5 | f0f1e170ce1040e80e61154c6dbe3303 |
| SHA1 | fb4fb0b55f0114faa440b557731ec79c7e12041e |
| SHA256 | e3eae0eea479ae34405bab220fa576c355ff55f0c5022e197eb8b056d7277aca |
| SHA512 | f47c4492ec0cb8c1b2cef238895015fb75fc9dd046a8c7972dd121d3e4e0cbbcaebaf8870245bba3a7c54880d19fbf4ed51f02f9413fab723b2edc50831c1ffc |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
| MD5 | 11c5b75b4243292a1ac3bfe7c645a8f1 |
| SHA1 | 3283d147c81acc63b93f85d93902ffe727ecfd4f |
| SHA256 | b0ef9e96c7bfc54db2283d4a1af778c4e034ca71566f3149de945a10136c1812 |
| SHA512 | a886f054b5e90f2479f69f51108dcf90ef2ffd7321e2cd1c75050d013de8264fac9510a201c67f922376b6e07c41cd43cc6577b1a91291c3327d26a33466fbc1 |
C:\LDPlayer\ldmutiplayer\msvcr120.dll
| MD5 | 7aca0a18284f6a6f5f441c2847a36947 |
| SHA1 | 21cea847c6e87fe137a4446e388cf8cb06033642 |
| SHA256 | bd02423dadbfeb2deec6ab7c98ca7a78057491629d589507adcda6db55108076 |
| SHA512 | 3f70455634c809f921f8c08269a4e419564851b84f1531175788102d7381666e48a3b94a2bee7ead5c05f2455b4bd653bcb31843cc96cccd7769eab0615ebb4a |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
| MD5 | 61e7de0fb11e94079bf456959e67b30a |
| SHA1 | bd04014614867eb7317f6dea1caa5a244254d827 |
| SHA256 | 89940b1e8babdde5c9ab4a14067ff099ddcbd128073b37f74daf0b70b76fd077 |
| SHA512 | 15a39cd65434facf38a32cf20e6e0883b3596db8d15b8a9751d75321f995ca72d4ca61a81c30942a74a1ee8e0e5be0c40b159f9feb868ca8b449d1f586f0490e |
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf
| MD5 | 9f48a550c1af13a56e193fef5009fcc5 |
| SHA1 | 5e74303c9aef5cc22b02c2b05130822316d835ec |
| SHA256 | 5619cdaea72726d350adce41ea3ecb13947805fa9d6054ebeba63a34c424ecbb |
| SHA512 | 568f5a13eae2effa4b1b760e6191f9f43fb4a3d6b54dfb57211c2b0290ece3c86014e7ca5925cda9526165d4083efc79f9a1d800e4a27726edb3e1e51699ad9a |
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
| MD5 | 4acd5f0e312730f1d8b8805f3699c184 |
| SHA1 | 67c957e102bf2b2a86c5708257bc32f91c006739 |
| SHA256 | 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5 |
| SHA512 | 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
| MD5 | 0d19e0478699e3723d7dc5f3535953db |
| SHA1 | f63e0507769d0ca85b3d8f884d87f971861bd3c9 |
| SHA256 | 95e0c2e2e578fb7e6500854d0c830a852035a3b275aa6fd07eda927863d39da8 |
| SHA512 | b4eb88c907db16cc17e8b3638434b7641db831bed74f190fbe4e435fc1b49da9748d9ea74a1fe5473ef4eb65f1aa993dc75aaba8be92ce92b204f997544951ae |
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
| MD5 | 8129c96d6ebdaebbe771ee034555bf8f |
| SHA1 | 9b41fb541a273086d3eef0ba4149f88022efbaff |
| SHA256 | 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51 |
| SHA512 | ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
| MD5 | 52c43baddd43be63fbfb398722f3b01d |
| SHA1 | be1b1064fdda4dde4b72ef523b8e02c050ccd820 |
| SHA256 | 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f |
| SHA512 | 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28 |
C:\LDPlayer\ldmutiplayer\libeay32.dll
| MD5 | ba46e6e1c5861617b4d97de00149b905 |
| SHA1 | 4affc8aab49c7dc3ceeca81391c4f737d7672b32 |
| SHA256 | 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e |
| SHA512 | bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
| MD5 | 2d40f6c6a4f88c8c2685ee25b53ec00d |
| SHA1 | faf96bac1e7665aa07029d8f94e1ac84014a863b |
| SHA256 | 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334 |
| SHA512 | 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
| MD5 | 34a7f5104b6ac467f879ad2e792d3ba0 |
| SHA1 | f7676a590a5320dac2a71acb637176f614a60758 |
| SHA256 | 1afc3274c26f160ff65b1e29cb334d2fd6459954e873a26c4e83e2073aa8b478 |
| SHA512 | 1db2abe306d591be381c922ee733007bf39df6b3b275ddba563031db421567d67a9ed3af4e8452ae415f216f3a13bd6a4626786b46e662293726edc5a6604ff4 |
C:\LDPlayer\ldmutiplayer\ssleay32.dll
| MD5 | 0054560df6c69d2067689433172088ef |
| SHA1 | a30042b77ebd7c704be0e986349030bcdb82857d |
| SHA256 | 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750 |
| SHA512 | 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
| MD5 | ad9d7cbdb4b19fb65960d69126e3ff68 |
| SHA1 | dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d |
| SHA256 | a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326 |
| SHA512 | f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc
| MD5 | c96c70c859951cad5152d8cb66be615a |
| SHA1 | 104f011210f5d31e9dc7291942025dad68a9721e |
| SHA256 | fcbdf04b0f2baaeacf9893ff193f171002792a1241386527283f960f2846c7d0 |
| SHA512 | 6e4bf31dedb5e6200d243cfddaab760bdd811a337d6bf07e9f6ca83a6713b00a033b1a12ccabd3d9664cdc68c3dfa61b524ca0af676f8b616d0c0afde28fb002 |
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
| MD5 | aac4d2aae2be727d4750c7f10bbcc625 |
| SHA1 | 242b86a5b7105411f828ca3720eb07c0ef026b05 |
| SHA256 | 6467f8be9c2847a4acedb584ae28c0c998d43e594c606ddae6268d30776fa638 |
| SHA512 | a88388e95d0ea60138ca7cf337e5f92199277a2f636e66795914cfb1c2e7712ab6b87bac5a30e46fa5d6893a93cea76f88050075dd656ca7accc0424a9b67d0f |
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
| MD5 | 1264314190d1e81276dde796c5a3537c |
| SHA1 | ab1c69efd9358b161ec31d7701d26c39ee708d57 |
| SHA256 | 8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5 |
| SHA512 | a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9 |
C:\LDPlayer\LDPlayer9\dnplayer.exe
| MD5 | 1f5af2baaa21d56ac7e657acbbce1c45 |
| SHA1 | 5d78718496b55b9b1ca51a370cfe835d0d5897f7 |
| SHA256 | 4f835ccd0bdb14a1145d68bd8dcbeb921e201f986375ca4244118014a391a828 |
| SHA512 | 1a00147f110b3732505269c34cd8fcc98148c474b08d7850eded90df6a99b5769f8fbbb57ed633d909409ea3cf45f457815b4490f4b1a673c398d5c8a6e78c78 |
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
| MD5 | 43fbbd79c6a85b1dfb782c199ff1f0e7 |
| SHA1 | cad46a3de56cd064e32b79c07ced5abec6bc1543 |
| SHA256 | 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0 |
| SHA512 | 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea |
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
| MD5 | 4eb4a09f1f14126573e02fa08981a8a4 |
| SHA1 | 549b402a93c7fec943a4dab2d131584c077ee57b |
| SHA256 | 3db364c8181620999245cab3a0b86dfb87aeae0231df3d28b0e25ac0beb593ff |
| SHA512 | 36ae8f4eca2996057167ecf7ba102f1ec2ad7f0534bd322672fae8259a711ab2486ec1fcb0ba89087309c75ff925ab53bcc1e96b066078b91d723a4b7d3f9c99 |
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
| MD5 | 8317bcf206e0ce040f1bbb6b9a7f3bdb |
| SHA1 | 36a9851c966c06253e3a3753dc0ebc1fb721b614 |
| SHA256 | 9124b282b6a4c663092093a8478f82ebc6833f552e3280d7a9a5856f1b81e55f |
| SHA512 | 12531b223f33720b379168081791897e3884ea9a5a98e1a2bf88328fcdc0113fd56ff3a36560ad49a7b3a2140861c4b2b6399b0b0f3a29b9839f6f20cc1bce1c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 19a8bcb40a17253313345edd2a0da1e7 |
| SHA1 | 86fac74b5bbc59e910248caebd1176a48a46d72e |
| SHA256 | b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e |
| SHA512 | 9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 96899614360333c9904499393c6e3d75 |
| SHA1 | bbfa17cf8df01c266323965735f00f0e9e04cd34 |
| SHA256 | 486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c |
| SHA512 | 974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eda942112fd743383f18abd4211e4e16 |
| SHA1 | 33770f4ca1c8dc8f911d130a232070f37beea6ae |
| SHA256 | 4213cb17adaf6a5101ade42ddd5c48683ee6ae7cf45d629b2d6f655e1bb4e650 |
| SHA512 | a12fe0e5851a1fa9c5e27ab2bada691c94ccfe759cb29646a0449bea4da39d90eccf1ec75c94d24d20841a497b1d7f9f40a8b358de9fe9499b62e2d1fc6832cb |
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
| MD5 | 38ccd4e9d9fc7394d78bae4fdda4cec5 |
| SHA1 | 29d290baf6ac4ff7ddb3bfb6e4793c511d6e909f |
| SHA256 | 0b3cf9a32b0ca88b4ec325775709a0f3a526d97097c63c735bd7a96e0b1f18d4 |
| SHA512 | 74f6f6628a77b8f7fabd19bfcebe40b39ccb4f3ab43ff2325bf91fe77b49d7a2e7ee3b1cbbbbc1f6667b80562cbcdbe82609751ffa3ec78dcb0bbc4cf46d676d |
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
| MD5 | 58e41d4dcd4bccd813d8d952a5c78fbe |
| SHA1 | f75e6c6bafb644b913c7d91b1037a53229e35778 |
| SHA256 | 90a7d2f430cc2a9dfc157a2769b5778b88d5ef3aa35718afe5add23d8716cedc |
| SHA512 | 429db6eea1d122198e43a1988187a7924863a6f318db6b522642dd4c95e2f72e9fb17e9cd73a7abceadb15c8daabee100bc1aa1fb32861bbeba03b3c2edba9aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0be3c73c4e7b122ca2c25bc04ec13791 |
| SHA1 | 669c6d0d3b4a16d1a26156163740069e0550b57e |
| SHA256 | bda98b6bed56223a0792a09270ff3807a9b6e7450b188898c0e98ecc761e0045 |
| SHA512 | 985d5bb26cba86543d97b58905a8c78ae4765b56097671d3e84da3b7d192176421c400b55f636f0a098da81f5ccff104f6362aaec6fb9cfe4eb20afd75ddd56a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cd5efecaef53eb0128485bbe2af53c54 |
| SHA1 | 15416f034e4e08279dd0720e8156c48eff64155e |
| SHA256 | 8289551a18705adb749d9e9742680c9bd4a6aea2f32e307364f4fe10b5f3a798 |
| SHA512 | 0c4954b0538c8ddeee3998fd66bb8ab8bdb8cb4d515e6baabf08e34af687766d1f467af4309a58b2ee2bf8de26f659d7c89f9fce69faf1ff485c8073ce050709 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 62bc8f5a6215e2d0aef22a1165ff1510 |
| SHA1 | 6df62c8119792e12a52a8899481cf9a19cad872b |
| SHA256 | 238f125a37ee3e26867e416debfdbbbcf0065067e6a8ba8501dc5e41adbe04bb |
| SHA512 | e515c1a66ba4ced7324585eb47dcc248ecccf71213777303b1b22a877cd665f8b3c035c1a65a693188e5ea6d113113e09b076ed77bdc1624dafebe1b02e2dde9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eae504dbeb4f0a8592a261e0b6ac8263 |
| SHA1 | de218225460c810d1ccdbc0f26916917435bb511 |
| SHA256 | cadfb36d067876176146414fc8798c747d9849a279ff9b86cc09d1afe2f7643e |
| SHA512 | 910852a251f748faee455ae9120457c6cda1811a046f6ddae2730ed014d51f232713fb3bb63755fb2964e37a21eac44a73a76feab20b0a50f91ffa745f36e31e |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | cfc499f22c9954eb3429e510c11050f6 |
| SHA1 | d4559c33f56f34733d167fd4d0a64762a1cfba2f |
| SHA256 | 109811a4bb8353de78b23a9a938766857ea24590bdb30ca10a67fa0d9004e15d |
| SHA512 | 3a64ed71f69bd23a138ae7cbee469bae6dd79039042ec470b48515185d11657b4046aedfc5173ade89572eb16ecafc379fbec22eee506c491b631399613b23d1 |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 7f600087a002922ec377eaf192284f61 |
| SHA1 | dbc662ac69cf46eed78c1c0d1d25e713c72522eb |
| SHA256 | 01727e30891774a4738c6b17ef5f61c260b6798b45d38c83348af104dc87b407 |
| SHA512 | 6b92b2d806f694f8368659909166bb923ac84599d1be99a91700f8ada714e0e94ff26658216b957356528174fc6689aab9ed69f3ab7c01000e6337079df6c26b |
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
| MD5 | 8e5cfe1e52ec165b665c7095a9d5b602 |
| SHA1 | 18485032b934dd146c33661304d581188075f581 |
| SHA256 | 308600799a8b4506594269a65ac97d4dec273d5e44f3bd399fd042d11f0b1cdb |
| SHA512 | 02fc401be620e8308286fa48a9ae8e11a5a89f3694c58786dd849a313a07adf8c5fffa10856890e3dbe22cba187f1d699622b96d35db7ca7d77f53707c30d95f |