cobaltstrike | 2bccda899132b8287824b9c2bde2c6562ac12d36365fcd5720d64d20e3b9c009

Resubmissions

01-04-2024 01:36

240401-b1es5ahh6v 10

28-04-2023 03:51

230428-eegx5sbe78 8

28-04-2023 02:53

230428-ddldhabc78 8

Analysis

max time kernel
138s
max time network
509s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_es_com.projz.z.android_3210_ld.exe
Size

3.6MB
MD5

d534ec979305cb79edd861760de997d8
SHA1

0152e7516a813b06c67a10b713260377d0f97131
SHA256

2bccda899132b8287824b9c2bde2c6562ac12d36365fcd5720d64d20e3b9c009
SHA512

7e6e494fe2c086cc3668f2fbf8184b8ff9d271565e2af258eef0c81ce22bd6b3c3e008cce77542dafc80040f60f659ff3263bb66e14e62ddc26f251db36805be
SSDEEP

49152:mOKT1DxX1gvw9qcQr1ULjFvnxe2T9g4tGOPtSlX:mOY1N1g49Kr1ULxvxew9g1/

Score

10^/10

cobaltstrike zgrat backdoor discovery exploit persistence rat spyware stealer trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\ReasonLabs\EPP\mc.dll	family_zgrat_v1
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETCAPS\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

4616 icacls.exe
5364 takeown.exe
6044 icacls.exe
5064 takeown.exe
3944 icacls.exe
4812 takeown.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5364 takeown.exe
6044 icacls.exe
5064 takeown.exe
3944 icacls.exe
4812 takeown.exe
4616 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Downloads MZ/PE file

pid	process
4616	icacls.exe
5364	takeown.exe
6044	icacls.exe
5064	takeown.exe
3944	icacls.exe
4812	takeown.exe

pid	process
5364	takeown.exe
6044	icacls.exe
5064	takeown.exe
3944	icacls.exe
4812	takeown.exe
4616	icacls.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	autoit_exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rsStubActivator.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	rsStubActivator.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

installer.exednrepairer.exeinstaller.exeRAVEndPointProtection-installer.exe

description	ioc	process
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-overlay.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\common_utils.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-upsell-toast.js	installer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\McAfee\Temp2152712135\jslang\wa-res-shared-en-US.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\it.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\jslang\wa-res-install-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\wataskmanager.cab	installer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\score-toast-ui\wa-score-toast-increase.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\jslang\wa-res-install-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\balloon-arrow.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\jslang\eula-pt-BR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\jslang\eula-pt-PT.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-sk-SK.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\de.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-nb-NO.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\kn.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\packageutils.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-toasts.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\icon_failed.png	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hi.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\mwb\wa-mwb-checklist.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\telemetry.cab	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nb.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\jslang\wa-res-install-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\logger.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ext-install-toast.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-ko-KR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util_selector.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\Temp2152712135\mfw.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\score-toast-ui\wa-score-toast-increase.css	installer.exe

Drops file in Windows directory 2 IoCs

Processes:

dism.exedismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Executes dropped EXE 11 IoCs

Processes:

rsStubActivator.exesaBSI.exep5pgnu2g.exeRAVEndPointProtection-installer.exersSyncSvc.exersSyncSvc.exeLDPlayer.exednrepairer.exedismhost.exeinstaller.exeinstaller.exe

pid	process
4596	rsStubActivator.exe
5040	saBSI.exe
5092	p5pgnu2g.exe
4792	RAVEndPointProtection-installer.exe
3696	rsSyncSvc.exe
1480	rsSyncSvc.exe
2380	LDPlayer.exe
4272	dnrepairer.exe
1848	dismhost.exe
344	installer.exe
4632	installer.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2332 sc.exe
3184 sc.exe
5904 sc.exe
5344 sc.exe
5968 sc.exe
5416 sc.exe
5836 sc.exe
4648 sc.exe

pid	process
2332	sc.exe
3184	sc.exe
5904	sc.exe
5344	sc.exe
5968	sc.exe
5416	sc.exe
5836	sc.exe
4648	sc.exe

Loads dropped DLL 29 IoCs

Processes:

LDPlayer9_es_com.projz.z.android_3210_ld.exep5pgnu2g.exednrepairer.exedismhost.exeRAVEndPointProtection-installer.exeregsvr32.exeregsvr32.exe

pid	process
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
5092	p5pgnu2g.exe
4272	dnrepairer.exe
4272	dnrepairer.exe
4272	dnrepairer.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
1848	dismhost.exe
4792	RAVEndPointProtection-installer.exe
4480	regsvr32.exe
2560	regsvr32.exe

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

dnrepairer.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1548 taskkill.exe
2888 taskkill.exe
2956 taskkill.exe
5048 taskkill.exe
208 taskkill.exe

pid	process
1548	taskkill.exe
2888	taskkill.exe
2956	taskkill.exe
5048	taskkill.exe
208	taskkill.exe

Modifies registry class 23 IoCs

Processes:

dnrepairer.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

saBSI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

LDPlayer9_es_com.projz.z.android_3210_ld.exesaBSI.exeLDPlayer.exednrepairer.exeRAVEndPointProtection-installer.exe

pid	process
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
5040	saBSI.exe
5040	saBSI.exe
5040	saBSI.exe
5040	saBSI.exe
5040	saBSI.exe
5040	saBSI.exe
5040	saBSI.exe
5040	saBSI.exe
5040	saBSI.exe
5040	saBSI.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
2380	LDPlayer.exe
2380	LDPlayer.exe
2380	LDPlayer.exe
2380	LDPlayer.exe
2380	LDPlayer.exe
2380	LDPlayer.exe
2380	LDPlayer.exe
2380	LDPlayer.exe
4272	dnrepairer.exe
4272	dnrepairer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe
4792	RAVEndPointProtection-installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer9_es_com.projz.z.android_3210_ld.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exersStubActivator.exeRAVEndPointProtection-installer.exeLDPlayer.exe

description	pid	process
Token: SeDebugPrivilege	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
Token: SeShutdownPrivilege	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
Token: SeCreatePagefilePrivilege	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	5048	taskkill.exe
Token: SeDebugPrivilege	4596	rsStubActivator.exe
Token: SeDebugPrivilege	4792	RAVEndPointProtection-installer.exe
Token: SeShutdownPrivilege	4792	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	4792	RAVEndPointProtection-installer.exe
Token: SeTakeOwnershipPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe
Token: SeDebugPrivilege	2380	LDPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LDPlayer9_es_com.projz.z.android_3210_ld.exersStubActivator.exep5pgnu2g.exeRAVEndPointProtection-installer.exeLDPlayer.exednrepairer.exenet.exe

description	pid	process	target process
PID 4496 wrote to memory of 1548	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 1548	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 1548	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 2888	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 2888	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 2888	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 2956	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 2956	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 2956	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 5048	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 5048	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4496 wrote to memory of 5048	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	taskkill.exe
PID 4596 wrote to memory of 5092	4596	rsStubActivator.exe	p5pgnu2g.exe
PID 4596 wrote to memory of 5092	4596	rsStubActivator.exe	p5pgnu2g.exe
PID 4596 wrote to memory of 5092	4596	rsStubActivator.exe	p5pgnu2g.exe
PID 5092 wrote to memory of 4792	5092	p5pgnu2g.exe	RAVEndPointProtection-installer.exe
PID 5092 wrote to memory of 4792	5092	p5pgnu2g.exe	RAVEndPointProtection-installer.exe
PID 4792 wrote to memory of 3696	4792	RAVEndPointProtection-installer.exe	rsSyncSvc.exe
PID 4792 wrote to memory of 3696	4792	RAVEndPointProtection-installer.exe	rsSyncSvc.exe
PID 4496 wrote to memory of 2380	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	LDPlayer.exe
PID 4496 wrote to memory of 2380	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	LDPlayer.exe
PID 4496 wrote to memory of 2380	4496	LDPlayer9_es_com.projz.z.android_3210_ld.exe	LDPlayer.exe
PID 2380 wrote to memory of 4272	2380	LDPlayer.exe	dnrepairer.exe
PID 2380 wrote to memory of 4272	2380	LDPlayer.exe	dnrepairer.exe
PID 2380 wrote to memory of 4272	2380	LDPlayer.exe	dnrepairer.exe
PID 4272 wrote to memory of 5080	4272	dnrepairer.exe	net.exe
PID 4272 wrote to memory of 5080	4272	dnrepairer.exe	net.exe
PID 4272 wrote to memory of 5080	4272	dnrepairer.exe	net.exe
PID 5080 wrote to memory of 3680	5080	net.exe	net1.exe
PID 5080 wrote to memory of 3680	5080	net.exe	net1.exe
PID 5080 wrote to memory of 3680	5080	net.exe	net1.exe
PID 4272 wrote to memory of 2264	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 2264	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 2264	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 1640	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 1640	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 1640	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 4800	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 4800	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 4800	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 1832	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 1832	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 1832	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 3896	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 3896	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 3896	4272	dnrepairer.exe	regsvr32.exe
PID 4272 wrote to memory of 1356	4272	dnrepairer.exe	Conhost.exe
PID 4272 wrote to memory of 1356	4272	dnrepairer.exe	Conhost.exe
PID 4272 wrote to memory of 1356	4272	dnrepairer.exe	Conhost.exe
PID 4272 wrote to memory of 4480	4272	dnrepairer.exe	WerFault.exe
PID 4272 wrote to memory of 4480	4272	dnrepairer.exe	WerFault.exe
PID 4272 wrote to memory of 4480	4272	dnrepairer.exe	WerFault.exe
PID 4272 wrote to memory of 5064	4272	dnrepairer.exe	takeown.exe
PID 4272 wrote to memory of 5064	4272	dnrepairer.exe	takeown.exe
PID 4272 wrote to memory of 5064	4272	dnrepairer.exe	takeown.exe
PID 4272 wrote to memory of 3944	4272	dnrepairer.exe	msedge.exe
PID 4272 wrote to memory of 3944	4272	dnrepairer.exe	msedge.exe
PID 4272 wrote to memory of 3944	4272	dnrepairer.exe	msedge.exe
PID 4272 wrote to memory of 4812	4272	dnrepairer.exe	takeown.exe
PID 4272 wrote to memory of 4812	4272	dnrepairer.exe	takeown.exe
PID 4272 wrote to memory of 4812	4272	dnrepairer.exe	takeown.exe
PID 4272 wrote to memory of 4616	4272	dnrepairer.exe	msedge.exe
PID 4272 wrote to memory of 4616	4272	dnrepairer.exe	msedge.exe
PID 4272 wrote to memory of 4616	4272	dnrepairer.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_com.projz.z.android_3210_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_com.projz.z.android_3210_ld.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnupdate.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -downloader -openid=3210 -language=es -path="C:\LDPlayer\LDPlayer9\" -silence
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=1179742
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
4⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
5⤵
PID:3680

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
4⤵
- Manipulates Digital Signatures
PID:2264

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
4⤵
- Manipulates Digital Signatures
PID:1640

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
4⤵
PID:4800

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
4⤵
PID:1832

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
4⤵
PID:3896

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
4⤵
PID:1356

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
4⤵
PID:4480

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5064

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3944

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4812

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4616

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
4⤵
- Drops file in Windows directory
PID:1664

C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\dismhost.exe {4323E87E-1367-4C60-AA2A-C6A0E35E20B9}
5⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
PID:1848

C:\Windows\SysWOW64\sc.exe
sc query HvHost
4⤵
- Launches sc.exe
PID:4648

C:\Windows\SysWOW64\sc.exe
sc query vmms
4⤵
- Launches sc.exe
PID:2332

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
4⤵
- Launches sc.exe
PID:3184

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
4⤵
PID:5740

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
4⤵
PID:5908

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
4⤵
PID:5976

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
4⤵
PID:5888

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
4⤵
PID:5952

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
4⤵
- Launches sc.exe
PID:5904

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
4⤵
- Launches sc.exe
PID:5344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
PID:5424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
PID:5420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
PID:3052

C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
3⤵
PID:6076

C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5364

C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6044

C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\\dnplayer.exe" downloadpackage=com.projz.z.android|package=com.projz.z.android
2⤵
PID:904

C:\Windows\SysWOW64\sc.exe
sc query HvHost
3⤵
- Launches sc.exe
PID:5968

C:\Windows\SysWOW64\sc.exe
sc query vmms
3⤵
- Launches sc.exe
PID:5416

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
3⤵
- Launches sc.exe
PID:5836

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
3⤵
PID:4448

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
3⤵
PID:1064

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
3⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.ldplayer.net/blog/94.html
3⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdaf7e46f8,0x7ffdaf7e4708,0x7ffdaf7e4718
4⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
4⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
4⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
4⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
4⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
4⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
4⤵
PID:6188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
4⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
4⤵
PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
4⤵
PID:6916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
4⤵
PID:6368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
4⤵
PID:7720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7424 /prefetch:8
4⤵
PID:7580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7424 /prefetch:8
4⤵
PID:7596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6996 /prefetch:8
4⤵
PID:7760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6808 /prefetch:8
4⤵
PID:7892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6820 /prefetch:8
4⤵
PID:7932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6484 /prefetch:8
4⤵
PID:7980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5716 /prefetch:8
4⤵
PID:8124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6860 /prefetch:8
4⤵
PID:8172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
4⤵
PID:8152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
4⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
4⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
4⤵
PID:7280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
4⤵
PID:7060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
4⤵
PID:6780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7616 /prefetch:1
4⤵
PID:6604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8044 /prefetch:1
4⤵
PID:7332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
4⤵
PID:6304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
4⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
4⤵
PID:6996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:1
4⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
4⤵
PID:7364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
4⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8520 /prefetch:1
4⤵
PID:8000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8404 /prefetch:1
4⤵
PID:6656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
4⤵
PID:8088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
4⤵
PID:7296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:1
4⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1
4⤵
PID:6360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8360 /prefetch:1
4⤵
PID:7192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8332 /prefetch:1
4⤵
PID:6476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8868 /prefetch:1
4⤵
PID:7752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:1
4⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
4⤵
PID:6668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8123132654490120098,1933704409484056501,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8588 /prefetch:1
4⤵
PID:7780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.ldplayer.net/blog/94.html
3⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdaf7e46f8,0x7ffdaf7e4708,0x7ffdaf7e4718
4⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,6317456367323290816,668126929126147357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
4⤵
PID:6648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.ldplayer.net/blog/94.html
3⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdaf7e46f8,0x7ffdaf7e4708,0x7ffdaf7e4718
4⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.ldplayer.net/blog/94.html
3⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0xb4,0x7ffdaf7e46f8,0x7ffdaf7e4708,0x7ffdaf7e4718
4⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.ldplayer.net/blog/94.html
3⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdaf7e46f8,0x7ffdaf7e4708,0x7ffdaf7e4718
4⤵
PID:5076

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM ldcurl.exe /T
2⤵
- Kills process with taskkill
PID:208

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=3ff901f77105cf4fcb30612b9d7a2e5dbda2ece7&dit=20240401013677985&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\p5pgnu2g.exe
"C:\Users\Admin\AppData\Local\Temp\p5pgnu2g.exe" /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\p5pgnu2g.exe" /silent
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
4⤵
- Executes dropped EXE
PID:3696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
4⤵
PID:3376

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
PID:968

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:3396

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
4⤵
PID:3368

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
4⤵
PID:3244

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
4⤵
PID:2328

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
4⤵
PID:5252

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
4⤵
PID:4268

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
4⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:344

C:\Program Files\McAfee\Temp2152712135\installer.exe
"C:\Program Files\McAfee\Temp2152712135\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4632

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
4⤵
PID:1972

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
PID:4480

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2560

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
4⤵
PID:2560

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
5⤵
PID:2328

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
4⤵
PID:5148

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:1480

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:5300

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:5920

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
PID:5824

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:5260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5260 -s 2388
2⤵
PID:4480

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:432

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:5396

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
PID:1336

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
PID:2836

\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
2⤵
PID:6060

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe
"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
2⤵
PID:1068

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
3⤵
PID:1688

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2260 --field-trial-handle=2268,i,10149766557752450813,13651202951286565914,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:1104

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2652 --field-trial-handle=2268,i,10149766557752450813,13651202951286565914,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:6048

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2804 --field-trial-handle=2268,i,10149766557752450813,13651202951286565914,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:2860

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3928 --field-trial-handle=2268,i,10149766557752450813,13651202951286565914,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:6984

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=844 --field-trial-handle=2268,i,10149766557752450813,13651202951286565914,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:8156

C:\program files\reasonlabs\epp\rsLitmus.A.exe
"C:\program files\reasonlabs\epp\rsLitmus.A.exe"
2⤵
PID:7716

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3bc 0x3c8
1⤵
PID:1188

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
PID:2224

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
PID:1884

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
PID:5860

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
PID:4632

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
PID:6096

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
PID:2316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1356

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8088

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:7156

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
1⤵
PID:7900

C:\LDPlayer\LDPlayer9\dnuninst.exe
"C:\LDPlayer\LDPlayer9\dnuninst.exe"
2⤵
PID:8060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6696

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
1⤵
PID:8076

C:\LDPlayer\LDPlayer9\dnuninst.exe
"C:\LDPlayer\LDPlayer9\dnuninst.exe"
2⤵
PID:8140

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\LDPlayer.exe
Filesize
652.1MB

MD5
8367968abf3c0f20606e1c521c6ca5ec

SHA1
245a4a002eed800c3e79f6617ab075f751d1f125

SHA256
6af5aa10c1882719736d9c6005d8d1861299601318060b2b39853d05f4f9b4c1

SHA512
6672583c37d6d5adf123da55c76b59c3039d031eb4d6465d16c96fa89d8b905621beeb7f21f7fb3c8f93e0a33097777a92120c64fe384ebaca23f8e3590a2576

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll
Filesize
51KB

MD5
34fefa38fa335d649823e4dafc3d48dc

SHA1
ea0d475f6accfc1db65930254fd0b7f60e78354a

SHA256
01c7ed024ff64c9a390b45a7e3b5c0662014b44cafe388cf664e8aa47672df99

SHA512
13411b190c503cb7ec83fe4e7c7227a919f6c7ddd8d89cb5d0c338544e17bd04c628a162c4da289b6248ea0f6a94bd6333bdb03cbd2a1fba67b07ce71386061c

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
Filesize
1.2MB

MD5
35b4310b193b87d140283176c1d89bd9

SHA1
a1f5cb8c20fa257fe31246f3a9236c43b1f9c7fb

SHA256
7d3b7377901479bc3db8296c3566d14fcdc82c3261e1b00653eee37d0d94eb22

SHA512
5fa786d7ae10bdbb6c5977a1b2a6256e2a014cdcb5b79429b42b4f7f7ee176b5776180b3779fc4f62b4646a77253497d654bb62cbbfb544a433f455e76876f84

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe
Filesize
3.5MB

MD5
4defa75cb82c7ff460309ca692881797

SHA1
a4216308b86461f461cafd02eac15f996d20889d

SHA256
52d74f59a47815854effe4c10bc5e04ee7092df82a7ea87003d2ec1803634818

SHA512
808c2fc247323954b91d33fb27330ab7948fdc46468ab26c75a3cff3b6921dc348f9ebf23c382a795d049ae04a568c739142668bf58f7391ed54ed6ce83a59b8

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe
Filesize
41.9MB

MD5
31749348b5726e3d21a35a748b2714f3

SHA1
72b5ab7fca36bedbf62068ee6ff1cce90b385e03

SHA256
f975a234a4ce7fd51d5f6c022c90ef326c42cc9c925bd769f8e29f75ca8d15b2

SHA512
5e2c2f3c9e8eb9500d40bce7e5de65b78186da1feef727bde7d4b0b0f5ef03ff91887a7cad5ded941f3062d3bb95b953f7bb212976e4d1fffb2b254dc0ca4022

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc
Filesize
5.0MB

MD5
f845753af4cc7b94f180fb76787e3bc2

SHA1
76ca7babbb655d749c9ed69e0b8875370320cc5a

SHA256
a19a6c0c644ce0e655eaf38a8dbddf05e55048ba52309366a5333e1b50bde990

SHA512
0a3062057622ffcff80c9c5f872abdf59a36131bfc60532c853ea858774d89fed27343f838dfe341dafe8444538fc6e2103d3aa19ef9d264e0f8e761c4bfce81

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf
Filesize
17.4MB

MD5
93b877811441a5ae311762a7cb6fb1e1

SHA1
339e033fd4fbb131c2d9b964354c68cd2cf18bd1

SHA256
b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b

SHA512
7f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4

Download Submit
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll
Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll
Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\msvcr120.dll
Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk
Filesize
752.1MB

MD5
e7e5151af360a509152c961fb672e30b

SHA1
809243ac048aea7a7eb30d546a55257d24080d78

SHA256
f5ccdeb26110e6affadc72e8a707aabbdbca05979dae75033943fb125a43757a

SHA512
15d7e7720d00ec3f6a9ea188497280b871bfdf36fd501587c535b4d41cad97a0829d5e76d7687e6cbcbc2945033dc773e0c1a64939a7c8fbaed43df84354aa91

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk
Filesize
753.5MB

MD5
74e09aa0aa167920a6703d3b4a135b90

SHA1
0c44ea9b83270024310800ed6c6c307af479ae8e

SHA256
fc60af229f9476e06eb291011ea5fe7777038bb5b65d776a87349e11ce250c27

SHA512
941272333a39685e6349ebcc268b9a1a87fbe92152c66e60bf087b347af722bacdd0f3158fa3c2a5e8770987b069f65da7ecbb4d7b68a8b5adbb62d799b12cf1

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk
Filesize
753.6MB

MD5
c920e73c815718256d613fe929182f6b

SHA1
0cc1e065b7e6da66775464b9a43a39c6f26eb79b

SHA256
6f35666ca6fd195ce403eec1afc17ebe12611ee84ec39db832df5dd02c6fd44d

SHA512
2776b0f13b2e59ef7f8e22c82a01373045f4a4e73b1e7a8e75a2e068b33e94a780c650e223bb40848aea88339179ddfb21e30b7ac9689e72ac815d2e225bb1ca

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk
Filesize
753.9MB

MD5
b5f35d1efc13195b83351c6261c7da68

SHA1
e5ccabc9458a495c3e321c0e1aa98e89f9931ee0

SHA256
f45a8a6359987514e9a4614b3ce853fe3e9e33066e0485b2dba6763a68774de2

SHA512
39f7606781d5ba5a067b9f079cddda32084c08fbbea0d1398a241017bed37ea0cf88104c7f387ccc40e5e764ee404f47e10fa3e53418ffdf7b1055137695c28b

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
Filesize
917B

MD5
383ee6a90b5acf58e4829ed6bd0dca0a

SHA1
beaa7a2d740bcb0dd56c90cd81739378724bcf62

SHA256
01b6749a52e0b3f498907a03869dc17084f7423c81c537749dcdb9a286513284

SHA512
f84cb9f2262bbe2790656a32a6e2dffd4096d7798f87c57edefd12b43cca00cbfe9596c8703ba52921a42bd630955d953017329c66bbb3d0bd4a4d012c655e05

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
Filesize
641B

MD5
64de28a021d19481e464fef1729a0b27

SHA1
6d673c4587609da0c48174ca9b7e7b2547077226

SHA256
30c6ccfea4aa805158c39cb035b864bb41b251cc445a08846855230ef99b81ed

SHA512
2cd53eeda7b472ba504a8233c93a320bd1c54a80b76e4fceaf25a657831cfc5510ac0a31662c6b839e092538e4abdd7f54cc0344e949e321de92ab140f556f2f

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
73KB

MD5
6f97cb1b2d3fcf88513e2c349232216a

SHA1
846110d3bf8b8d7a720f646435909ef80bbcaa0c

SHA256
6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272

SHA512
2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
Filesize
309KB

MD5
899cbf01f60c29811701d5ae16069641

SHA1
21a57f0ef3fcd8e77642ed8ce102f4de4e3f308d

SHA256
ea2654b170a306a030a8feeb72d51481df867f437b4459b93e8c306eeebc0ed7

SHA512
8156cd14671a1db3714dffe1cf2294b87f138f87e24599c35dffa3044f76221500182720a4eea7b50b4537fb39d5dd0b0552d1f3902d1c85423061f15f79b05d

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll
Filesize
1.1MB

MD5
d406ff32781bf1c802784f135d729d0c

SHA1
65bdc93b8da1238e4b2501d9b5918b5b0a5a46bc

SHA256
4584841cb316baf34199c8eb0cea15cf3b27db476cfe90cae419d7f8c3ad4c25

SHA512
b6f50ea354c75cf9f64dc5a8237697e74e910809cf3b2cf1c230b67add9068f34302986f0cdc0ef006fa78aa969a9198cd9ee22ff1d06de2d180981459290d8a

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
Filesize
328KB

MD5
72e73a28b48b5feb1a80bf327955c22e

SHA1
f534b6e300497a0032f5713a0a0d473c9c05d32b

SHA256
8c25af2c9c9ebfc64c4c5f94ba63908f13c5028106d5061e25f9e5f7d85632c9

SHA512
0639edd6112dd0556cb6927a60b229a18e3af7df54fd26d199e6151c26fbda5761fb9ba4565ad2694fe0d68c9bc5425ca55fd2bd3734b83997464bef7f9c9a61

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config
Filesize
5KB

MD5
6f43a71ae3d543a70e6e11e86ee89bda

SHA1
cd265557cc7f9e13fa9f61b01963caf187976fb2

SHA256
f801f5c490eb3b0499009b4a863c117ad72800948b3066e39b2fb39b50c4005a

SHA512
39e286243a247b27439a0ca79e2d5bef7c0bf4ea28c83d797ff458e690499ba7c6d96c6ec0bed1b99c3512bf73c575ec11825022581c0ae271b4eb4bf32be555

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog
Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog
Filesize
660B

MD5
705ace5df076489bde34bd8f44c09901

SHA1
b867f35786f09405c324b6bf692e479ffecdfa9c

SHA256
f05a09811f6377d1341e9b41c63aa7b84a5c246055c43b0be09723bf29480950

SHA512
1f490f09b7d21075e8cdf2fe16f232a98428bef5c487badf4891647053ffef02987517cd41dddbdc998bef9f2b0ddd33a3f3d2850b7b99ae7a4b3c115b0eeff7

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
Filesize
2.2MB

MD5
821d1f06019c66220aca01b7e949ed88

SHA1
59206dfe9c8114974a32e17a78433f33dc233bde

SHA256
80575db97280206850629ed53cb7020dc52daf229a375bfa943652b32a3bf454

SHA512
d309592b6106f988ece5bb54728830ed5f0f355a9260d0fdd60f23c54111a6bb5696b02668853ae588eb37c82beeb50349701d8f3964ef0a216996c619c609d1

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
2KB

MD5
22622ab363acd1cb442ee1da798e4caf

SHA1
e1da1bf7522ae608b688b572d6b8714574166199

SHA256
85e052ff490784febda83530e267c3dca37e18173668e1cb0357631b66692d7d

SHA512
f1387c0adadc021633c9e8edeebaf8c3092af32b927ebb17c60e7523fe172cac4f2ae3879eda0b68795f48179e67455ab74de2c7ab1c005671f542d677ff925f

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
17KB

MD5
224d5e42c86777b377413a09a02862d7

SHA1
635a778c70527b31c2e7080d8869981cdf23af69

SHA256
6c71312ee0d570d57735e9e847e937d487e0a7bff77f96c5423648f75fb40a1e

SHA512
b039a76892478ad3c7f4331670b7677deffffbddbf4790fabd78944e4e9fbc78f1a25b72900a4eb49dc985f77e67839bb7897b5c85f081e0eac3b9f30ba4d65b

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
6ba44d5ce9cfe1d5edf25d18c74a288f

SHA1
5ec53ca4369272607f5e44572cc52645c52f5905

SHA256
391c0c03b2e7e244fac52e29f8927260915c5ddaceba2891516e0002da9b4f6d

SHA512
0f6e81adbfe6994bfce104d96f5ff502f0f31ef44ae4f90188e56e69c46a4f274f3f252f8460be56c41960a5b65f5ef73b9fca952627b678e2b292509b41c2ea

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
f6f4ca803fb90c77d94bf01bd2bbace5

SHA1
793afb815e160daeb5bdec21522baf91e377f97d

SHA256
1a7c5884bd7495b80aa5d380c8b3e278b7f1c4818d36eda17c8acc93f3522427

SHA512
8e016db5b0b3961c6384e2422b9044ae92e1a8ff34be8479c880b28458a0226bbfd2210563dd4948a24e694af54ea66d1aa574576f1d14cd8b464aa28b5e279f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
0a66d79c12a4a1c285384b5a9d70bb1f

SHA1
6bf23d57bb6aeaf8e172ecb6c7cd5acf61b48829

SHA256
f69ca3c75166264a00836bdb2c803d61184bb50953baa2b6cf8c0fc796901d9e

SHA512
1d8d0b9a6f368891ac08cb57fa0a006680e571ddd226e7ebc2f5f6a942c0a614733c8b6f2528ed9bb2b9143fd4f7a1b6e505c124642a6340f7544ae120302f7c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
476c031c9fa74e027dc6a48ca9369219

SHA1
499dd6ac4c3757d8a5593824db7564d1f973e520

SHA256
9bf1b183fb5c54a6129db53682d063e2c4495118653be978a25ead262f8305c8

SHA512
8cd0f68194f9b0fe1d6f078c04f8893281327bee29316e195cbf70e729a9ae8cf291f8f07f033f7a2ff18f5a520eb014e4ceafcc2ef4173d147f95c6b7cfdad9

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
9c61ccaa1fea10baabc2403f3f3484e2

SHA1
b78b55e290c95116a3eb61f9029ab0342b0b6637

SHA256
3370f03f28ef123cf70ce25d9cddd67bcdd64bbb95884ecce6f5f6f43742f053

SHA512
919d8c8ae178f1dd02bbba6caf9fb08336e8c3e7001a9c23fb34c90ce8704dc0c2e531639779351418adbd422b70b2b272b99d77f172b25161c5f6f46a4364e8

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp
Filesize
5.1MB

MD5
d13bddae18c3ee69e044ccf845e92116

SHA1
31129f1e8074a4259f38641d4f74f02ca980ec60

SHA256
1fac07374505f68520aa60852e3a3a656449fceacb7476df7414c73f394ad9e0

SHA512
70b2b752c2a61dcf52f0aadcd0ab0fdf4d06dc140aee6520a8c9d428379deb9fdcc101140c37029d2bac65a6cfcf5ed4216db45e4a162acbc7c8c8b666cd15dd

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp
Filesize
2.9MB

MD5
10a8f2f82452e5aaf2484d7230ec5758

SHA1
1bf814ddace7c3915547c2085f14e361bbd91959

SHA256
97bffb5fc024494f5b4ad1e50fdb8fad37559c05e5d177107895de0a1741b50b

SHA512
6df8953699e8f5ccff900074fd302d5eb7cad9a55d257ac1ef2cb3b60ba1c54afe74aee62dc4b06b3f6edf14617c2d236749357c5e80c5a13d4f9afcb4efa097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
0ebb5dcd77253cb0f85e5dd73e6f3c86

SHA1
45bf1bf6c32a23b1c62c935bda6af46d92582817

SHA256
71254734871ca2abd3ce80a6fe2825f29d6c2906695f0848a9d58a4bb357644f

SHA512
b4a2f26ec58b035c0dc8c4eb4871b3ba7738202033303ab5a0286b7ff557b15633522089235ed2c749ec7073216cfcc464ccd7a31fae8d2c15b65e48915e745e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\_metadata\generated_indexed_rulesets\_ruleset1
Filesize
891B

MD5
d7a63ccfe52eeb58faa0f0aa441ab878

SHA1
050ad45533af7c85a5369c48e0ce49634ed62d65

SHA256
3a68db4a7ef75fa420da4db273d62feadf29e863800b584f97460cc6584d1f56

SHA512
583c464b95d9abe2ca9504f44bc3030c0698913470cf7a3890f1f9ae79b2477989b27b4f16cc9e61a991ca1af8b507eb9d4b812d766d6f1f0d2200a32d41c80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\_metadata\verified_contents.json
Filesize
4KB

MD5
cb81bbaf965f60e4ca017aecdf99b3d6

SHA1
27f9f6200ac72aaeb14703a15f671a6943e7fff4

SHA256
00d2190b2d98a901018f20dfd0fe00f1e13bac3a4c9dbdf2281201c210b941de

SHA512
24f09c1563f7d50768d1922fb8be4456dd9b44ca79b04f887b55f057310cb4fe87a963c8e7ef5a224b34f49b3f8744f1ac9653599abb53c12caf999cf054c858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\background.bundle.js
Filesize
1.9MB

MD5
5227d16e0f229ad05a0eaa6633e6ac54

SHA1
d8cb2de5bc7fa6907c57c00902844ca851a0462f

SHA256
f2342d0093403ea309d779eff1674ee051f63b9b8abc993f989e109a8a650360

SHA512
d75210ec46adef0e93e053940844c8679e6f8f6905ab8ae376e81ccad8a7860532216de9222d010fb714dd30fb6db1be977904344c0978007e31d0662f99d436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\contentScript.bundle.js
Filesize
1.0MB

MD5
0567b2e88ef70f6ece239c4214809723

SHA1
67a45fe55447c9661403708e9c67fb45ea267ebe

SHA256
2f06a230480edc1ca57a23dd00e06281d8b0381d411150aefd5a244412b0a002

SHA512
02db91000f9d7261349670984065352d5ab592498d97f51a6c558d0f3e429dbfe0b2dda6547d455eac49f9908a2b1bc5d45caecbb3ac0a699a57acba565640bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\icon-128.png
Filesize
6KB

MD5
a3c4a97b3abf5c40532df4c73b6a0aed

SHA1
487bcc26a31f4545cada98e13532510784f3d9e4

SHA256
dc9ab4985526d23074e9cf2ee176e68dd7a5cd282c147df32733da083b7ce8a6

SHA512
71c82630413b7d9e8f2541bb036b1884c2e88ba5abee2e6abf79744951f1f2e65f7a3d82fb59c274ad7f02b3e49ee5fa2f20973410db3cc2ca92e6bb3dd42fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\icon-34.png
Filesize
1KB

MD5
15b14e66c46e0a83449fea81f4d0e59c

SHA1
c3512dc47f25eb700e21a04f0925aa9d6996f08f

SHA256
10a9008f1b5e61a13f2fc225e9444f17a30036f76855826ff0f881de880db15e

SHA512
c0296a9252e9ea8336a28a73fdeb6d90a3fbd13cb5699f9b90e8b2e3858f041509e8886d056b402c5444e9b36a5950fdb8dc93dd46c15a79d84e1e579b5cd887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\icon-threat.png
Filesize
10KB

MD5
d7be3dbfb6c292dc440d4f72d073715e

SHA1
cae4a585577f6521e1931d09457694e57b9389b6

SHA256
cdd148cc2f8b3d7f008e2827367ef48a2be499ae34dbd22263854cbfeba903f9

SHA512
14a80c3602ec6a50b15baa23d74e894021a733eb14f541534ce51e1b847e4c25835591a6ec821deca093d384b849491866a340de832d6fb138e51330dc833f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\icon-upgrade.png
Filesize
13KB

MD5
8f0dbfccb36007d663b552bb84db01d5

SHA1
709b15810f26fe075d1037b7d90e196f4471d574

SHA256
07b43077658e1bbc63ac5c7431fd1940f74e8231a532a055de9e2fa0ae79b0be

SHA512
064962f997821ab44b523dc6a7524b6ff21352d90fb9e13281a72ad4d09d3431173d96c71277c92cae023f91d435700169113f14171446d52e65e48b1a44f719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\images\arrow.svg
Filesize
782B

MD5
098267b50a118f33b7492712af4fa9d3

SHA1
5662445b9138d268cced9ab71670ea69506e52a5

SHA256
0ec47a14edaf377afdf77304c710ca0021201cb4d815c2883fb06b0253a0286b

SHA512
15300c0637c00480416ce5ad6191015df45686393bb3bd3c75243ae60a2572b1a4d2c5d411628aeb271b73880d4f091558f39c9a68800523a77ce9f5f86266eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\index.bundle.js
Filesize
977KB

MD5
852c3d5d8d86da708877ac6b9618d6ca

SHA1
eabbb78dd6b38f9d51f9b8f8f54f8d60da0c1c4d

SHA256
9f0df1ee4a93f6d708a1bb2e9243af6d9e9e854ae5534796ada4da3abe5bc6e1

SHA512
68b6ceb5452d41d4166e0bf0b9c896e2813fc39dcebbe9e75e433e92f599f1c68edf27454a7175fca53b6846138c016a1aa21e97d46980e93acf8a664ba0e53f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\index.html
Filesize
182B

MD5
d343ef04bba048e61bed6f6aeec790ad

SHA1
2c91570ac1aa82b2117f7358b971e799dadccacb

SHA256
b8b984df05113f680b46c7394172758ec3a171060b201230f9493d863f9e79db

SHA512
ef9fa5c88702ef4e2de2a1849a205cdd653cff7172c2135db595892dff072f45cf50f7d8cc5bec3e2a77665b5f8271d6f62a1bf3d138518df24819ec46031151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\manifest.json
Filesize
2KB

MD5
f10518e47f0eb508b161e82d8c8eeca9

SHA1
557e1caaa3328548ac06b69f2f5359d5077de50f

SHA256
e70e1ff729054b7b56af649a727e5a3912673f7354e4214e023c9a409a9f07b5

SHA512
2d421d10a4cd63f4204fd9c146b9969583d6febbf906668dd673bb7805182e4e51f3429fdf68415b3f0ba5e10a18a6dbb1f80dfd9fe143d9e205ea0e406b34eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\noto-sans-bold.woff
Filesize
12KB

MD5
a65fc7725f81daa832e2ac5d4820c2b1

SHA1
a5602a3cb911cdb6ed538c22f451763d884092f0

SHA256
5adee3972bb1a6f74b582f79a5d3b4735e665c00b2e49938a4fb68755e56d9df

SHA512
f8b07d9d46733c8820cf2466a14203710f10ceba789f80fb700b00ff950e5c1f30fb035939911e4d1a4e7ab92f37ce8f6fb47f5d9ab58f5eb5031804e4ad96a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\noto-sans.woff
Filesize
12KB

MD5
0a66f097fb9215e828bc0ada73d19e45

SHA1
f962197011fa900ec29b4bd14f624a3309854626

SHA256
8e5f3060067847d71c398a897b8f8aecadbacadec3324b41d6eec5b3014fed89

SHA512
060d79916429b617f950a86ef6783198ceb844f26e65b7d26fd667a37c577c5913ba4ef183d2ca0e7f46b3d6e13c128a5bf8c4ae7e0f543c53c051bf13a92fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\rules.json
Filesize
939B

MD5
5736d36e31b7bc0d59788d30260281ea

SHA1
c2810c0335d1760d2ab337db349c362596df06be

SHA256
79ecc25acaf4d184958e339a9e48a1f0d187f82a676843dc6a40ff907e1853f3

SHA512
046686a280f60d50791ff8bd13989ba4bf058f402bc3d45c3688bc60e8ea91e6e44ec3ae8bf66f1e47b66b336ea8b0f70f20ff1279f6dfb377d662d633296c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\segoe-ui-bold.woff
Filesize
19KB

MD5
52382539737f4e9913e4bf6b9966bee3

SHA1
d58d3dc5ff86fe8ff594134df53ea9b8074f6bc6

SHA256
d711a54cb4822ccf7926b1a95b7a43107fcfe8ef99a817e6906a1063657c7b28

SHA512
55f1767cfb589eca775f2849b975d8311295951f8e457be58de34983531961ce4fada3a856daed8d7cd712bd8b5fad53ceecf438949deaafb7d5cb87114ecb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir5872_185320694\CRX_INSTALL\segoe-ui.woff
Filesize
19KB

MD5
9a2931180d6b1dc7b33052657eef554b

SHA1
77b8f3cb5410c779206782a310990c19af2b02ca

SHA256
f424915a692bc5a458d6e7d9c99e4fe0cf5cb8883bd3516b01d4fef5da8d3663

SHA512
e839eb6fa727c6a604da142e7c823c5d8b7d8e33b3d19937da7bc1948c32893b08f0ace35c020e391ab0a9694b479b28282024c3518dac995eb87fd7aa18c631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
0fa9098a56a638ab7b91e3f9aef592ac

SHA1
7ab006100f37689b1e7685acf0c41d13508c1a81

SHA256
c2ba191c2d4fce6237e6b3a1f42a5496ef7e7cda2983adc48dc6286f4c7604fc

SHA512
98487e733c0ccfc5a8609e6fd0a316b0573316101dd2b7a1d0af8a6997f20b34bc4f31dcc1811fd5e3dee013f7d77055a1c57bbfa4370e6d3942c34267322f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7a8de21bd5ea6ecf24857f12aed1f243

SHA1
9dbca722413d121c4acfbdc794262b10cbd1d783

SHA256
59cd69ffd49e27ef7a998df029554e799e52377e90f67c823e7b1b50ced06662

SHA512
0a7cb5cd762125ed2977f47ba58f822cda8b9fc0e5927451177415379ba1bfb5b660e9718d374b124784170132574eb0ff2c2aae4a8bb47d846f481894712b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
2a7fccfb2477469e7832bd41e032469c

SHA1
4ec8cbbaa4b28107695155f5f233be8bd33a1bef

SHA256
27b731d68fedb2980c4688832e13baa084a83e8abb596c9cd24de899d2c1d6c9

SHA512
6d46ea4c47f74a425bbe624ba121db2c7d7e9f2f4333aea6662708d07a7e33e8f93384c7977642e128718fe6a77a96118f062e4f84659ceb9922a7c2eff2e150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
27KB

MD5
cd92455eb39bfe0065446573b448224f

SHA1
05dec53c01973b245783cf47c03a3f9b0d720412

SHA256
f2f76995f5ea231b8fbb2b6668bd1eac05fbebabbaebab1ea743af4951dd26db

SHA512
6bb6570e3c402d59f4d7aae8bdf00b3381541147659b3959edbeefe79f898df62690558fec4368fae8d56f5953d9e8cb1ae977ff2c26b86349b59fec843ec2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3031a320802c0196334e2e371b318a5f

SHA1
8dc84643323e0011e7358415184ac6c9b05f9d21

SHA256
29c22be848955c6d523d41c5ba1367f744a19c7834df3ff6493eb4f18b0ff248

SHA512
3502c17a3ef240b809bd11d63dc546712bfcdb2d6e391b43721d67fe982d728cb128b91989d741a81ccc49d5b5755fa78807f0814ec54091dd7f737444430071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
7b320c8c7a3e60fa886e1bf6140ef71c

SHA1
af0077d5be2057b4dac330a46872f5829ddd3357

SHA256
27c1c54959ccdc2c027ef18a29d6f003d1f8b6a2bb9e730705bfc3d753d05303

SHA512
9109005e5722a6309ff6d778b2ba8f34460fa6ad13fb3c96ff7df9aa207983a958ad544120c2fa661234eb894b2579b150d418103df22fd47f3fc662e8b5f2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e6d214271150935a52659239ac1a6f3c

SHA1
9ed408ea81951546ae6da612f4083d22046aa7f3

SHA256
d97c3905636f4ae96dd6955e0f8b76ebe5959d8307dd459d19766e7609a44a00

SHA512
cd01cc4959bac51740cbb6a522ba4375c545e25c253d8f2efe44a224c187c7c9773c7fdd6749668ddbfd5b18904f0c9ebde825b08c3584d28d93d81e80478f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
26b8bac0b1cc64bd4285f1e8161f913c

SHA1
5ca7ef0834b7d1f1fa968294cf532b872de91760

SHA256
827a15b73e100ebcc873594588dba463f66d674a9aa14f351bb9add287c77e3f

SHA512
840a3f9b2fbd04242598efc80593008379a1465e35a3669dd9d5537fa11266fb7ec81d4b00b7b0c4a1415003029181c098731831a7cc70f5e2a60aa28fe72167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ed0ea9dbeac40fde1946fdbac866077b

SHA1
ff6a905447a812708376da6a95f05968a69a4c99

SHA256
0d29511013eb3b8c6761cbf2aaef995b84a8386a94245b603bc6552803523c69

SHA512
c6e02d2553821a027ca5613a5d2f69b559bfca7363ae215a71c42b3e96b6493005c68655a0f392c0143c6dde37b60fdea88862e0f7ab210862fec454462a2d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
022d8d76912739aef098959f3a7e3bf1

SHA1
bf4eab7a435bbfdc394f75d3abe06f7bdd8c9144

SHA256
fea0a8d1354d5ffd245f10f69f1647a86ecf1283515d4095691fc17f1b9383cb

SHA512
aded745300930eea1adca25967bda96453b31f1315f3bd83408ca9bfd20f187f3b921055855e793ce1deb66fe7f1923d3ed4bbd92da6063e3570b9eab4a4fbda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
1efbe56239c0fd2df3a63d1be0eec9b2

SHA1
c7aa48cb6eb6e0d520dbc8dc9559faa9f55fbead

SHA256
62684914b2fe3108e196f0a6d405441fd5bd7c20178963d459dca588509b5df7

SHA512
eb13d01a9ba17218f5e06d9140949033e3d0b82cf8b2a2761e95f7bd69c1d4e26ca262314fca3cfbf345c6aebf89042049716dfcd522042859346a01fd11fac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\AppxProvider.dll
Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\AssocProvider.dll
Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\CbsProvider.dll
Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\DismCore.dll
Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\DismCorePS.dll
Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\DismHost.exe
Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\DismProv.dll
Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\DmiProvider.dll
Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\FfuProvider.dll
Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\FolderProvider.dll
Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\GenericProvider.dll
Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\LogProvider.dll
Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\OSProvider.dll
Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\en-US\AppxProvider.dll.mui
Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\en-US\AssocProvider.dll.mui
Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\en-US\CbsProvider.dll.mui
Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\en-US\DismCore.dll.mui
Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\en-US\DmiProvider.dll.mui
Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\en-US\FfuProvider.dll.mui
Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\en-US\FolderProvider.dll.mui
Filesize
2KB

MD5
22b4a3a1ec3b6d7aa3bc61d0812dc85f

SHA1
97ae3504a29eb555632d124022d8406fc5b6f662

SHA256
c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

SHA512
9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DAA604C-F729-4AB9-BFE5-689BD3D6E715\en-US\dismprov.dll.mui
Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
Filesize
27.5MB

MD5
4dbe5f3da40921cd7c962615f8c3ccf7

SHA1
6599facd44e053d43e737035e7c69781e7891ec3

SHA256
62a3405a3f1f3f294ef3a1415a7a42696e6b48aee2ed35c2c62b9aae45bb5e52

SHA512
0c49680a2432192c9a6e9850f05031b6b27449290ea71521cabb607dc8f976d386836c1e292bce56edbb0f8e59db369b847481035c0226e3b9df2d4939219253

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
Filesize
44KB

MD5
bd4a48e7acc466a6421835cf29396970

SHA1
12947b26eb50ddc532b24fda8c9df9da232676f3

SHA256
5520cc81b676e7160e6167d77230071b57a76c632eeffd77b2e99f6c7f529790

SHA512
e0e58c14543a765e4ea739eee6d38d10ddc1b8813a77a2ffb7c637f5e0bb3e247b9a5f3c9a763365d9c7b5ade29c0d021b31166abe604822d79d3318117c5d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4h0rgjzr.abm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF653.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\Microsoft.Win32.TaskScheduler.dll
Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\RAVEndPointProtection-installer.exe
Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\rsAtom.dll
Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\rsJSON.dll
Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\rsLogger.dll
Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\rsStubLib.dll
Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\rsSyncSvc.exe
Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\1073c171\cee3b663_d583da01\rsLogger.DLL
Filesize
178KB

MD5
3b02b63b292e6de7e4e20e2749b6012d

SHA1
dd383bca28e641ffb5ab50cbdd7b000af0109124

SHA256
23f4beac970c48c54ac36e02acc5d15b70058cfe69f40d1479823d3efaed07de

SHA512
f8e1405d2922fad95f7979db1ce2dedc35b304f194c1606d01d98935dbb6d15b8644a7d6294b719473474a7d13ed269ed294150d5f12af5fac5a29002075a269

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\5b225ef4\cee3b663_d583da01\rsServiceController.DLL
Filesize
173KB

MD5
114ba60855ac117724838299547a50e2

SHA1
a14c3838719a11e3a9ce6e9d462c4b9c677fbcc1

SHA256
c12dc8526042f879c331a7d3ee0fd949eb5d2be394a529f833c9b50136fe5232

SHA512
9d027ca598389a3e7534cd8d5c243d039092ff9e190832d0e1ef4201df8950da3cdf8d82a2ffbb15cbfcfd7fe2ee88d981a235fd7ed4a9d12b7cb7f0e2fdc7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\6e6b78d3\3a83b463_d583da01\rsAtom.DLL
Filesize
158KB

MD5
241b5d3d8c6379df7c2af82dae3e3ad7

SHA1
fa12ed45bf40d4702b26c4ca905c88867271cae2

SHA256
79cafc6dfda1c664812e6fb05366410b94eecd42be895ac3dbcf9c0788f0690e

SHA512
b39b7789a2dbff84ee53c83ba3e50fce76f9c0fd0c5d9193a71d5f2f6573375e5ad87e9dc1131a46cb33e92115ded8444b398f26527ec774d3b686d6d76cc626

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\c8ea6259\cee3b663_d583da01\rsJSON.DLL
Filesize
219KB

MD5
17ce9f60f051ee8ee4128d00a2130212

SHA1
3a7daaaa1f7e61500f56549253ddae87279dd67a

SHA256
922cbecf142ae43e07f03ba999b8a12587569aa01812dc874af2e2afcf0ad212

SHA512
ee40cc7e44b60d0325d6a2851ebd12f6797ca76173c187b7f1387357482ac312d877b83337dea6c0f1cd61f91ad1c65cca4152fd56c324349b491b3b92c903c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF654.tmp\uninstall.ico
Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5pgnu2g.exe
Filesize
1.9MB

MD5
98f211273a474168f075a39117ef9707

SHA1
11a95b828bc01610a56d18c706e904b9d7b4c1f1

SHA256
3b94e2f7a964b2dfefdbbdc6a01aa2b08f19b08782991b5f33b6dbc59df0d5ef

SHA512
7026a067e954089567eee8f3749cb577a77fa7e0d492302ab364d9434271a7cd014f12188d65127bad5de4bc58ec12963e267585b610c454999febfd8f9d3985

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\Network Persistent State
Filesize
300B

MD5
640ff02d9592a98d19f0fc60a8dd154f

SHA1
785c334b8643a67b8752288ce08cb5b0088851a9

SHA256
617764b9ea4f141fb8f09e1f14269b213e0388d9655775f18e112982ad2ce9ee

SHA512
489b82ad0dd66fb4f001b8a7dd90dcb05d3fd87d295ad03ed350a6073c4d504eea28d255aba46a592bbc2e65dde3dcf44f9f14633e7191b3055bc7f4877e5b8d

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.27.2\Cache\Cache_Data\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.27.2\Cache\Cache_Data\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.27.2\Cache\Cache_Data\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.27.2\Cache\Cache_Data\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.27.2\Local Storage\leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.27.2\Network\Network Persistent State
Filesize
300B

MD5
e72c751513fa4e6b481e8b2adeb06ffa

SHA1
2cabc577ad11138b404901e6abd197bf492e4232

SHA256
709a7657f46bf3960cfa38f2b55c74c2feac924131a33240cbb897ea3ec622ab

SHA512
a1f41245860397379a6a24ae4026a9526eb60057f6b692f3b294a48bb6f529e920341817cd5b6d2d770d32449cd5d74d20f874e8657f037e5cbe6b062b3fd211

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
Filesize
73KB

MD5
9b48a556688043fd98267db3b2a4117f

SHA1
60bd9fc7ae9e2b69121a702b72443aca98ab2f0e

SHA256
344f9abc57786282a47d3594a5e4dbdbde696b085edcfa7d55b573335efb7737

SHA512
5ffe2223a996b76031c8a8395197eb2d9ab9e187ea20cd4011da15b04f4605f1db42f534a41314190d0aa055714928329969bd29f6584ce92c9aa4b2ea2bfd9e

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
238KB

MD5
b6baa6d75444ee40797ed479c67b9229

SHA1
4209d8dc1b0c0f20048e1321f371fff56b8d0390

SHA256
2f74897af7fcbbc08328a47df4d009c03d4ac578e7d8f96cf9b9dfb1e4ba682c

SHA512
77c7a4c959169651f691963469c1bbcfa1bbb507851c0e0fd02eb5e512261e40eab83b582e98f9abde0c53c6bfcdb75c79198a0ab6c68829deedbf9fb8998226

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
276KB

MD5
d06b2d9e0336feb52b4510cc86bedd1b

SHA1
2f04f2e5efa982c9160e7ca1b29eda01403fb0d0

SHA256
8057e22d179f6f3da04a8337c97291be84fa624a800673cd4cf73087e9386f14

SHA512
35966c05494b93c67a0b08ff0613fd8e4a4ae8b1279e357d649bbfd3802ccbdd305c53f57dab70e6fb454c25ae8f0e73e9fcbab18905442bb736edd41527e83f

Download Submit
memory/4496-41-0x000000000BFB0000-0x000000000BFC2000-memory.dmp

Filesize
72KB

Download
memory/4496-38-0x000000000BD00000-0x000000000BD50000-memory.dmp

Filesize
320KB

Download
memory/4496-50-0x00000000067A0000-0x00000000067B0000-memory.dmp

Filesize
64KB

Download
memory/4496-49-0x0000000072E50000-0x0000000073600000-memory.dmp

Filesize
7.7MB

Download
memory/4496-48-0x00000000067A0000-0x00000000067B0000-memory.dmp

Filesize
64KB

Download
memory/4496-47-0x00000000067A0000-0x00000000067B0000-memory.dmp

Filesize
64KB

Download
memory/4496-46-0x000000000C180000-0x000000000C19A000-memory.dmp

Filesize
104KB

Download
memory/4496-45-0x000000000C140000-0x000000000C15E000-memory.dmp

Filesize
120KB

Download
memory/4496-44-0x000000000C1B0000-0x000000000C216000-memory.dmp

Filesize
408KB

Download
memory/4496-43-0x000000000C100000-0x000000000C132000-memory.dmp

Filesize
200KB

Download
memory/4496-42-0x000000000C0A0000-0x000000000C0C0000-memory.dmp

Filesize
128KB

Download
memory/4496-12-0x00000000067A0000-0x00000000067B0000-memory.dmp

Filesize
64KB

Download
memory/4496-16-0x0000000006820000-0x0000000006834000-memory.dmp

Filesize
80KB

Download
memory/4496-40-0x000000000BE50000-0x000000000BE6A000-memory.dmp

Filesize
104KB

Download
memory/4496-39-0x000000000BEB0000-0x000000000BF62000-memory.dmp

Filesize
712KB

Download
memory/4496-17-0x0000000073780000-0x0000000073794000-memory.dmp

Filesize
80KB

Download
memory/4496-37-0x0000000009B00000-0x0000000009B0A000-memory.dmp

Filesize
40KB

Download
memory/4496-33-0x000000000A420000-0x000000000A94C000-memory.dmp

Filesize
5.2MB

Download
memory/4496-32-0x0000000009B40000-0x0000000009BA6000-memory.dmp

Filesize
408KB

Download
memory/4496-31-0x0000000009E50000-0x0000000009EEC000-memory.dmp

Filesize
624KB

Download
memory/4496-30-0x0000000009A90000-0x0000000009AD4000-memory.dmp

Filesize
272KB

Download
memory/4496-20-0x0000000008FC0000-0x0000000009052000-memory.dmp

Filesize
584KB

Download
memory/4496-19-0x00000000090E0000-0x0000000009684000-memory.dmp

Filesize
5.6MB

Download
memory/4496-18-0x0000000072E50000-0x0000000073600000-memory.dmp

Filesize
7.7MB

Download
memory/4596-2517-0x00007FFDB19B0000-0x00007FFDB2471000-memory.dmp

Filesize
10.8MB

Download
memory/4596-54-0x0000022A9AB60000-0x0000022A9AB68000-memory.dmp

Filesize
32KB

Download
memory/4596-2744-0x0000022AB4FD0000-0x0000022AB4FE0000-memory.dmp

Filesize
64KB

Download
memory/4596-66-0x00007FFDB19B0000-0x00007FFDB2471000-memory.dmp

Filesize
10.8MB

Download
memory/4596-61-0x0000022AB5410000-0x0000022AB5938000-memory.dmp

Filesize
5.2MB

Download
memory/4596-67-0x0000022AB4FD0000-0x0000022AB4FE0000-memory.dmp

Filesize
64KB

Download
memory/4632-1591-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1918-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-939-0x00007FF807E80000-0x00007FF807E90000-memory.dmp

Filesize
64KB

Download
memory/4632-952-0x00007FF807E80000-0x00007FF807E90000-memory.dmp

Filesize
64KB

Download
memory/4632-1009-0x00007FF7F17C0000-0x00007FF7F17D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1071-0x00007FF7F17C0000-0x00007FF7F17D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1137-0x00007FF7F17C0000-0x00007FF7F17D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1067-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1054-0x00007FF7F17C0000-0x00007FF7F17D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1070-0x00007FF7FF090000-0x00007FF7FF0A0000-memory.dmp

Filesize
64KB

Download
memory/4632-1904-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1913-0x00007FF7FF090000-0x00007FF7FF0A0000-memory.dmp

Filesize
64KB

Download
memory/4632-1906-0x00007FF7FF090000-0x00007FF7FF0A0000-memory.dmp

Filesize
64KB

Download
memory/4632-1053-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1044-0x00007FF7FF090000-0x00007FF7FF0A0000-memory.dmp

Filesize
64KB

Download
memory/4632-1033-0x00007FF7A4CF0000-0x00007FF7A4D00000-memory.dmp

Filesize
64KB

Download
memory/4632-1027-0x00007FF8092C0000-0x00007FF8092D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1149-0x00007FF8092C0000-0x00007FF8092D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1173-0x00007FF8092C0000-0x00007FF8092D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1203-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1264-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1321-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1332-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1348-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1363-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1366-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1416-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1907-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1914-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1915-0x00007FF7F5A70000-0x00007FF7F5A80000-memory.dmp

Filesize
64KB

Download
memory/4632-1916-0x00007FF7A4CF0000-0x00007FF7A4D00000-memory.dmp

Filesize
64KB

Download
memory/4632-1163-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1928-0x00007FF7F17C0000-0x00007FF7F17D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1920-0x00007FF7F17C0000-0x00007FF7F17D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1911-0x00007FF7A4CF0000-0x00007FF7A4D00000-memory.dmp

Filesize
64KB

Download
memory/4632-1893-0x00007FF7F17C0000-0x00007FF7F17D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1905-0x00007FF8092C0000-0x00007FF8092D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1908-0x00007FF7F5A70000-0x00007FF7F5A80000-memory.dmp

Filesize
64KB

Download
memory/4632-1414-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1899-0x00007FF8092C0000-0x00007FF8092D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1900-0x00007FF7A4CF0000-0x00007FF7A4D00000-memory.dmp

Filesize
64KB

Download
memory/4632-1354-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1324-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1902-0x00007FF7FF090000-0x00007FF7FF0A0000-memory.dmp

Filesize
64KB

Download
memory/4632-1880-0x00007FF807E80000-0x00007FF807E90000-memory.dmp

Filesize
64KB

Download
memory/4632-1300-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1229-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1860-0x00007FF807E80000-0x00007FF807E90000-memory.dmp

Filesize
64KB

Download
memory/4632-1209-0x00007FF8092C0000-0x00007FF8092D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1199-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1192-0x00007FF8092C0000-0x00007FF8092D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1857-0x00007FF7F17C0000-0x00007FF7F17D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1859-0x00007FF807E80000-0x00007FF807E90000-memory.dmp

Filesize
64KB

Download
memory/4632-1188-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1858-0x00007FF807E80000-0x00007FF807E90000-memory.dmp

Filesize
64KB

Download
memory/4632-1177-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1165-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1480-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1442-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1087-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4632-1104-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1128-0x00007FF8092C0000-0x00007FF8092D0000-memory.dmp

Filesize
64KB

Download
memory/4632-1140-0x00007FF7BD500000-0x00007FF7BD510000-memory.dmp

Filesize
64KB

Download
memory/4632-1143-0x00007FF804880000-0x00007FF804890000-memory.dmp

Filesize
64KB

Download
memory/4792-147-0x000001916AE20000-0x000001916AE21000-memory.dmp

Filesize
4KB

Download
memory/4792-3145-0x000001916CB30000-0x000001916CB80000-memory.dmp

Filesize
320KB

Download
memory/4792-141-0x0000019169100000-0x0000019169188000-memory.dmp

Filesize
544KB

Download
memory/4792-143-0x000001916B530000-0x000001916B570000-memory.dmp

Filesize
256KB

Download
memory/4792-145-0x000001916B570000-0x000001916B5A0000-memory.dmp

Filesize
192KB

Download
memory/4792-2748-0x00007FFDB19B0000-0x00007FFDB2471000-memory.dmp

Filesize
10.8MB

Download
memory/4792-149-0x000001916C610000-0x000001916C64A000-memory.dmp

Filesize
232KB

Download
memory/4792-146-0x000001916B5F0000-0x000001916B600000-memory.dmp

Filesize
64KB

Download
memory/4792-150-0x00000191696C0000-0x00000191696C1000-memory.dmp

Filesize
4KB

Download
memory/4792-152-0x000001916B600000-0x000001916B62A000-memory.dmp

Filesize
168KB

Download
memory/4792-153-0x000001916AE00000-0x000001916AE01000-memory.dmp

Filesize
4KB

Download
memory/4792-158-0x000001916C6B0000-0x000001916C708000-memory.dmp

Filesize
352KB

Download
memory/4792-140-0x00007FFDB19B0000-0x00007FFDB2471000-memory.dmp

Filesize
10.8MB

Download
memory/4792-3161-0x000001916B5F0000-0x000001916B600000-memory.dmp

Filesize
64KB

Download
memory/5424-3276-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/5424-3242-0x00000000073B0000-0x00000000073C1000-memory.dmp

Filesize
68KB

Download
memory/5424-3205-0x0000000007430000-0x00000000074C6000-memory.dmp

Filesize
600KB

Download
memory/5424-3192-0x0000000007220000-0x000000000722A000-memory.dmp

Filesize
40KB

Download
memory/5424-3185-0x0000000007800000-0x0000000007E7A000-memory.dmp

Filesize
6.5MB

Download
memory/5424-3175-0x0000000006E70000-0x0000000006F13000-memory.dmp

Filesize
652KB

Download
memory/5424-3171-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/5424-3274-0x00000000073F0000-0x00000000073FE000-memory.dmp

Filesize
56KB

Download
memory/5424-3173-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/5424-3160-0x000000006E570000-0x000000006E5BC000-memory.dmp

Filesize
304KB

Download
memory/5424-3155-0x0000000006440000-0x0000000006472000-memory.dmp

Filesize
200KB

Download
memory/5424-3461-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/5424-2538-0x0000000072E50000-0x0000000073600000-memory.dmp

Filesize
7.7MB

Download
memory/5424-2912-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/5424-2907-0x0000000005E70000-0x0000000005E8E000-memory.dmp

Filesize
120KB

Download
memory/5424-2743-0x0000000002570000-0x00000000025A6000-memory.dmp

Filesize
216KB

Download
memory/5424-2745-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/5424-2747-0x0000000005220000-0x0000000005848000-memory.dmp

Filesize
6.2MB

Download
memory/5424-2757-0x0000000004EE0000-0x0000000004F02000-memory.dmp

Filesize
136KB

Download
memory/5424-2759-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download