zgrat | 16371c394db9bf609623c3b7531987cdfb87c9176b6660fdc38f7e0cc8cf51b0

Analysis

max time kernel
109s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
28-04-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

363KB
MD5

7f9017011aa83fe044d3d943463dd9cd
SHA1

704b8c403cccd5eded6e1cb9bde0ec72d344b670
SHA256

16371c394db9bf609623c3b7531987cdfb87c9176b6660fdc38f7e0cc8cf51b0
SHA512

d8f94c25798ca2795805f99317adb900cbc96302c63f1efaf120f80ac398e4afebbbb30413c327577f1783d608219e598fde47807ae6e0b4e1212960fe7dee2a
SSDEEP

6144:rFdh46vGf65WrXk2Was082duwPfUf81hLO7WdbS0Ryze9xPg5vjoo5GtmZ:Jdh43DWas52d9PfUf81hLO7WdbS0RyzP

Score

10^/10

zgrat discovery exploit persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\ReasonLabs\EPP\mc.dll	family_zgrat_v1
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid process

1688 icacls.exe
5768 takeown.exe
6292 icacls.exe
7716 takeown.exe
5716 takeown.exe
1576 icacls.exe

pid	process
1688	icacls.exe
5768	takeown.exe
6292	icacls.exe
7716	takeown.exe
5716	takeown.exe
1576	icacls.exe

Executes dropped EXE 10 IoCs

Processes:

LDPlayer9_ens_1001_ld.exesaBSI.exersStubActivator.exe3mfyy4de.exeRAVEndPointProtection-installer.exersSyncSvc.exersSyncSvc.exeLDPlayer.exeinstaller.exeinstaller.exe

pid	process
5616	LDPlayer9_ens_1001_ld.exe
4392	saBSI.exe
944	rsStubActivator.exe
5588	3mfyy4de.exe
3380	RAVEndPointProtection-installer.exe
5348	rsSyncSvc.exe
4112	rsSyncSvc.exe
2900	LDPlayer.exe
2060	installer.exe
6740	installer.exe

Loads dropped DLL 4 IoCs

Processes:

LDPlayer9_ens_1001_ld.exe3mfyy4de.exe

pid process

5616 LDPlayer9_ens_1001_ld.exe
5616 LDPlayer9_ens_1001_ld.exe
5616 LDPlayer9_ens_1001_ld.exe
5588 3mfyy4de.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid process

1688 icacls.exe
5768 takeown.exe
6292 icacls.exe
7716 takeown.exe
5716 takeown.exe
1576 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1688	icacls.exe
5768	takeown.exe
6292	icacls.exe
7716	takeown.exe
5716	takeown.exe
1576	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeinstaller.exeRAVEndPointProtection-installer.exe

description	ioc	process
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-nl-NL.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-el-GR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-es-MX.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\uihost.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\logicmodule.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\wa_logo2.png	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\balloon_safe_annotation.png	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\updater.exe	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-nb-NO.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\resourcedll.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\mfw.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-it-IT.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-pl-PL.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-sr-Latn-CS.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\settingmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\webadvisor.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\wa-common.css	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\wa-ui-install.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\wataskmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\analyticsmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-tr-TR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-en-US.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-zh-CN.js	installer.exe
File opened for modification	C:\Program Files\ReasonLabs\EPP\Uninstall.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\wa-install.css	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-cs-CZ.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-fr-CA.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\analyticstelemetry.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\webadvisor.ico	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\uninstaller.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\telemetry.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\wa-utils.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-install-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\wa-res-shared-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\logicscripts.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\uimanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\wa_install_check.png	installer.exe
File created	C:\Program Files\McAfee\Temp2326867904\jslang\eula-hr-HR.txt	installer.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

5848 sc.exe
7012 sc.exe
6400 sc.exe
6384 sc.exe
5372 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5848	sc.exe
7012	sc.exe
6400	sc.exe
6384	sc.exe
5372	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1472 taskkill.exe
5800 taskkill.exe
5580 taskkill.exe
4808 taskkill.exe

pid	process
1472	taskkill.exe
5800	taskkill.exe
5580	taskkill.exe
4808	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

saBSI.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 808989.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeLDPlayer9_ens_1001_ld.exesaBSI.exeLDPlayer.exe

pid	process
4860	msedge.exe
4860	msedge.exe
3356	msedge.exe
3356	msedge.exe
3424	msedge.exe
3424	msedge.exe
3344	identity_helper.exe
3344	identity_helper.exe
5416	msedge.exe
5416	msedge.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
4392	saBSI.exe
4392	saBSI.exe
4392	saBSI.exe
5616	LDPlayer9_ens_1001_ld.exe
4392	saBSI.exe
4392	saBSI.exe
4392	saBSI.exe
4392	saBSI.exe
4392	saBSI.exe
4392	saBSI.exe
4392	saBSI.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
5616	LDPlayer9_ens_1001_ld.exe
2900	LDPlayer.exe
2900	LDPlayer.exe
2900	LDPlayer.exe
2900	LDPlayer.exe
2900	LDPlayer.exe
2900	LDPlayer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

msedge.exe

pid	process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer9_ens_1001_ld.exetaskkill.exetaskkill.exetaskkill.exersStubActivator.exetaskkill.exeRAVEndPointProtection-installer.exeLDPlayer.exe

description	pid	process
Token: SeDebugPrivilege	5616	LDPlayer9_ens_1001_ld.exe
Token: SeShutdownPrivilege	5616	LDPlayer9_ens_1001_ld.exe
Token: SeCreatePagefilePrivilege	5616	LDPlayer9_ens_1001_ld.exe
Token: SeDebugPrivilege	5580	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	944	rsStubActivator.exe
Token: SeDebugPrivilege	5800	taskkill.exe
Token: SeDebugPrivilege	3380	RAVEndPointProtection-installer.exe
Token: SeShutdownPrivilege	3380	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	3380	RAVEndPointProtection-installer.exe
Token: SeTakeOwnershipPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe
Token: SeDebugPrivilege	2900	LDPlayer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LDPlayer9_ens_1001_ld.exeLDPlayer.exe

pid process

5616 LDPlayer9_ens_1001_ld.exe
2900 LDPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3356 wrote to memory of 4596	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4596	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4056	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4860	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 4860	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe
PID 3356 wrote to memory of 1960	3356	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe297d3cb8,0x7ffe297d3cc8,0x7ffe297d3cd8
2⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
2⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
2⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
2⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
2⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
2⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
2⤵
PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
2⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
2⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
2⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7140 /prefetch:8
2⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
2⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
2⤵
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
2⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
2⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
2⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
2⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
2⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5416

C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5800

C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2900

C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=131702
4⤵
PID:7892

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
5⤵
PID:7980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
6⤵
PID:5580

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
5⤵
PID:6484

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
5⤵
PID:6396

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
5⤵
PID:6500

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
5⤵
PID:3952

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
5⤵
PID:6280

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
5⤵
PID:6160

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
5⤵
PID:6300

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7716

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6292

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5768

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1688

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
5⤵
PID:7784

C:\Users\Admin\AppData\Local\Temp\82353BA4-10C8-412B-8792-C18387B59E56\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\82353BA4-10C8-412B-8792-C18387B59E56\dismhost.exe {71289080-FD8E-48FE-A847-62B0B950234D}
6⤵
PID:7424

C:\Windows\SysWOW64\sc.exe
sc query HvHost
5⤵
- Launches sc.exe
PID:5848

C:\Windows\SysWOW64\sc.exe
sc query vmms
5⤵
- Launches sc.exe
PID:7012

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
5⤵
- Launches sc.exe
PID:6400

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
5⤵
PID:7036

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
5⤵
PID:6756

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
5⤵
PID:6892

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
5⤵
PID:360

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
5⤵
PID:5924

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
5⤵
- Launches sc.exe
PID:6384

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
5⤵
- Launches sc.exe
PID:5372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
5⤵
PID:6724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
5⤵
PID:3400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
5⤵
PID:7752

C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
4⤵
PID:5948

C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5716

C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
2⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8416 /prefetch:1
2⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8588 /prefetch:1
2⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:1
2⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9032 /prefetch:8
2⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5052 /prefetch:2
2⤵
PID:7232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8816 /prefetch:1
2⤵
PID:6704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9208 /prefetch:1
2⤵
PID:7436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10037311805086994184,862011517659329858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9556 /prefetch:1
2⤵
PID:6612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:6120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000488 0x000000000000048C
1⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2060

C:\Program Files\McAfee\Temp2326867904\installer.exe
"C:\Program Files\McAfee\Temp2326867904\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6740

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
4⤵
PID:7128

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
5⤵
PID:8120

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
4⤵
PID:6420

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
4⤵
PID:7048

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
5⤵
PID:6664

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
4⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=91e515b9e3255f51801acae6eab2816b2de87b34&dit=20240428050943481&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Users\Admin\AppData\Local\Temp\3mfyy4de.exe
"C:\Users\Admin\AppData\Local\Temp\3mfyy4de.exe" /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5588

C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\3mfyy4de.exe" /silent
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
4⤵
- Executes dropped EXE
PID:5348

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
4⤵
PID:6488

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
PID:6288

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:7136

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
4⤵
PID:6316

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
4⤵
PID:7484

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
4⤵
PID:8140

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
4⤵
PID:6800

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:4112

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:7052

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
PID:7348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:8012

C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
2⤵
PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:5788

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:6172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\LDPlayer.exe
Filesize
553.9MB

MD5
d241283a1557c7304c4d58acf3244c0f

SHA1
59f6a57654e84c3d7dcc385c57ca2cafe4405816

SHA256
a612037a0b5641d960dce2cc29f12abf13a3263b0c4f8bcb833308820b2434f2

SHA512
2bf69bf3b272d52aa4f35d9c95c51d785a46e4bb29e852bc4a97649ef144e78e0e805521d83a244701e9614c2653165757fd405ff75faafd56a76191d6af3aa9

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
Filesize
1.2MB

MD5
0c81805493ab6e2ea8855e27dad4b63e

SHA1
2d1985e253b79f0071cf74ce067faf4d412d14db

SHA256
1beac1e13687b2200fdad579cc93d8216788a9adcaf0885b62af24fa1974c82d

SHA512
a69d94b97a5e74b418060c7d7902dee05ec6a02302fc2f063fb96b38fd6966a9c8419d73208f570b045d29b1f69c7c26dbe9f85abc1aeb7e4a6b4b17f0b7efd4

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe
Filesize
3.5MB

MD5
f9ddc9083ffa20efd46386eca87582bb

SHA1
8558d23be32806ae0dc6e85dbb548f1507240b1e

SHA256
c2dd00c3f8b25ff6b5d58317249bcd69a150bc29179bfb63cc2242fef4651cea

SHA512
3efed140be34ac956298959ee7dca4161c7b9afd0e06faccc1cfe65def71dd1c856cc16b80d6ad1536f3c7605f3501a75df3220b17654e4708306150deab3276

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf
Filesize
17.4MB

MD5
93b877811441a5ae311762a7cb6fb1e1

SHA1
339e033fd4fbb131c2d9b964354c68cd2cf18bd1

SHA256
b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b

SHA512
7f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4

Download Submit
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc
Filesize
5.0MB

MD5
f845753af4cc7b94f180fb76787e3bc2

SHA1
76ca7babbb655d749c9ed69e0b8875370320cc5a

SHA256
a19a6c0c644ce0e655eaf38a8dbddf05e55048ba52309366a5333e1b50bde990

SHA512
0a3062057622ffcff80c9c5f872abdf59a36131bfc60532c853ea858774d89fed27343f838dfe341dafe8444538fc6e2103d3aa19ef9d264e0f8e761c4bfce81

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll
Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\ldmutiplayer\msvcp120.dll
Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\ldmutiplayer\msvcr120.dll
Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
73KB

MD5
6f97cb1b2d3fcf88513e2c349232216a

SHA1
846110d3bf8b8d7a720f646435909ef80bbcaa0c

SHA256
6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272

SHA512
2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
Filesize
310KB

MD5
c3b43e56db33516751b66ee531a162c9

SHA1
6b8a1680e9485060377750f79bc681e17a3cb72a

SHA256
040b2e0dea718124b36d76e1d8f591ff0dbca22f7fb11f52a2e6424218f4ecad

SHA512
4724f2f30e997f91893aabfa8bf1b5938c329927080e4cc72b81b4bb6db06fe35dae60d428d57355f03c46dd29f15db46ad2b1036247c0dcde688183ef11313a

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll
Filesize
1.1MB

MD5
6d27fe0704da042cdf69efa4fb7e4ec4

SHA1
48f44cf5fe655d7ef2eafbd43e8d52828f751f05

SHA256
0f74ef17c3170d6c48f442d8c81923185f3d54cb04158a4da78495c2ec31863e

SHA512
2c3587acab4461568ac746b4cdf36283d4cb2abe09fc7c085615384e92f813c28cf4fcb4f39ec67860eac9c0e4a5f15021aee712d21a682f8df654968ed40ea3

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
Filesize
327KB

MD5
9d3d8cd27b28bf9f8b592e066b9a0a06

SHA1
9565df4bf2306900599ea291d9e938892fe2c43a

SHA256
97fe82b6ce5bc3ad96c8c5e242c86396accdf0f78ffc155ebc05f950597cdbd6

SHA512
acefc1552d16be14def7043b21ec026133aabd56f90800e131733c5b0c78316a4d9dc37d6b3093e537ce1974219154e8bd32204127a4ab4d4cd5f3041c6a8729

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config
Filesize
5KB

MD5
be90740a7ccd5651c445cfb4bd162cf9

SHA1
218be6423b6b5b1fbce9f93d02461c7ed2b33987

SHA256
44fa685d7b4868f94c9c51465158ea029cd1a4ceb5bfa918aa7dec2c528016e4

SHA512
a26869c152ed8df57b72f8261d33b909fb4d87d93dc0061bf010b69bad7b8c90c2f40a1338806c03d669b011c0cb5bbfcd429b7cd993df7d3229002becb658ad

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
Filesize
2.2MB

MD5
defbb0a0d6b7718a9b0eaf5e7894a4b0

SHA1
0495a5eccd8690fac8810178117bf86ea366c8c3

SHA256
c3d2f7e0ad6fd26578595fb3f7c2b202ab6fba595d32dfa5c764922145db0788

SHA512
55dab7ae748a668a2bb57deb6fbff07e6056d97b6f88850890610ac135b8839d3c61f4dc505d3f32cc09a3ff2ce80ce663d0c830f9f399367dc03c92ea7ca89a

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
2KB

MD5
29b414a951e35eef5d0e4f48c047b765

SHA1
b8f444174100fb5d442b9b4821132e0a209db080

SHA256
df097d7b7a2e2ad30a14897116c81c87701c76c65e300f234ab4a7777315e5c3

SHA512
fe86032dc0834358ffce405f2ae26534aa58dc910f9624fec53ef5475e86226e7ab944161a8dafc656913091b7b18fb79b33f0ad1ebf958d8410103ac7206cf7

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
17KB

MD5
ba89e57ee1260eb78dffe0772f2c070f

SHA1
464403bff1c2d4bdad1281d7c53502e2d746d99a

SHA256
e0318c4fa3470305a34e802e60ec64970ae3a44222f84ae24812a26173dff42d

SHA512
75b12ae26d63fea02c162cd3639560b1831e83f0581c9e247cdb76f8700b5aa77910176f22eedf1645dc96264f6ef85d2d4b0d02538741feac9f35bdbbdf1f6e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
bb799d8937a44af632695a4f3f33591a

SHA1
51a2c702d1bdcbfc1081b336ef562f5c9778631f

SHA256
ee983f7281f62f9720d6f632ae7078426fa0d38858ac391efd3eb69e0282fc15

SHA512
be01335ad686c13d4029dd6694b6e996aabac19669b56a598ce843702ffa7ebfb4ea764867e725bc55d64c91fa5fb4b30fb92910f4d785e045f78299f90b64d2

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
ba076bd3e7815b3c8258452857ff87c6

SHA1
2959474b13d879668a3e1d52f584b1821ed0275a

SHA256
f2646d02679afa84f115271389bbdf2de5be59b6c85747d30edc8f9db04ae6b7

SHA512
54ae2cbf50418f7badbc9bab919313dd97fe07a948c9af9dea287e1bd174d692879aa2384f481458d1c1a25d090c1d831ea1690dbd68fe6392fed373f0333549

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
9dfe7e8f0024a9dd4ccb4adf95ff1cb0

SHA1
ab7b7cd9948d07b6cfc62e6e0d5851dd3a51dcd2

SHA256
a73ed322412ee4884b73d5f225f916cf6f61ec3753a25e3c2a1800ca98a11760

SHA512
ad357b5fbbb26f8984e78e52c0b4b44afd16215a2d6c0dfd358164f927eccb9fb57b9f1205eb1693c780197e2c3dfbd1fd7ac9ba87cefb3501034349b9c9351d

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
6a6f8ef389950e47235468e8026af60c

SHA1
20da706ed603b0b514bc3c612deaccba27616660

SHA256
c9670a3b1fe1fe2abd924c8f9ca30b87ce6b5f7ac1d8ef69a3c495d36797ffa6

SHA512
a637effecd1001013f12cc90f52ef21a69219c4efa572a59ee207b4ce3193500837637cbbfce623a3844d8bd708736579ab77fbee3f3089ac6ec90f608fac690

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
71bf2fde383becf686050d53b9a8f424

SHA1
79b046ee4cff7d6f5d236bda5d95f371d9866cc1

SHA256
85d483193b6f23eff1a68b7168b4a8c5bc5c0d11e342b9e942063ba9d1fcd97c

SHA512
378071844cbda117954ccfb28e08a39a2f23908697aef4c0ec2c3af01810028e7944d8b46406b8aab0a89df1e2a33509235300320103dd82783995862428dd0d

Download Submit
C:\ProgramData\McAfee\WebAdvisor\WATaskManager.dll\log_00200057003F001D0006.txt
Filesize
743B

MD5
a1bfc0ecd55555430e94778f49895af7

SHA1
22a72462b899e694012d6ba6fbb4a6dd06bb1c0f

SHA256
9f2d4f84e4f4521c160507a40dc2d724046ce5a536a26e2323c4ca2289cb6d3d

SHA512
5380b78806c45367080b36d261a4e87d5bc212c89f05b8e9f83cf4152e7c08d18f4e1d3629db58a25346e0035c63d3fc6f17075174d092836f9134fca79b15f8

Download Submit
C:\ProgramData\McAfee\WebAdvisor\WATaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
41f620189dcca2c64a9cd0e67a90958d

SHA1
75aeb6dde1514d778b845857bb4aca422384f233

SHA256
ff7a5fc0a1d0f81b3f9e34f85b1b95eb9f86c4f19ba167f652d99624ee0b82be

SHA512
a35b792448048fc4f95a10b621790339ee2458f8573ced055111cd63cd258d9cc5ffd0070639c4524fe83fbcd7f16843412df36ab97a76552d886c6ac7729454

Download Submit
C:\ProgramData\McAfee\WebAdvisor\WATaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
375a1fef1e91d3611313c42aed65a5db

SHA1
032648375798275f23f4dbd35b2964b13b5adb67

SHA256
06365ad576bbd6c87b1cb7bba01c3ec42db2740e5b6e7e78ab2d19cbec887261

SHA512
d9161ea5cec5a87f0ccff5bb40d85106fe53dec3891e6abf28c969553e3f8da474a4a0b084d944ba9b2e3bfb1c7cbd0698da5cb6db7aac7e7f177e0b3edc129a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt
Filesize
1KB

MD5
bfdbe6759022aca0e9559ab061637e9f

SHA1
83377a1541c0b4ba9ef73cbfa39f7b895cd97ac5

SHA256
7c7445e2328c78213f48ebf165897a45e0ee1f90622c970fe184ab8809d1cb95

SHA512
9f0249fea8a574814523a88ac392a09cb179d3c9819b42dd8c0fadb8032d43cc5b138fbfcfe225623bb384fee95aadc688a517223203ae5c499f1f9c604e6477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
2KB

MD5
fe16ef829f7d00550504b85cf2fc6059

SHA1
6f2ed70fb5d4e60199c90105ae1b410efe58ec3f

SHA256
091e0dcfc6cc602498c006a3b9f1af8a6b959b9d59a0bf8344dfdd7ee522abfc

SHA512
f6ffc3289a5401551ba5a4b0ab73009d2d5ee35fb7899e87b189b2ca60b134e3a23190a954edad519683d0e46246c8d74834bcd8a5fac4672f033504220a2374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
b63898d60bbab1295f92d1a45f2d2c87

SHA1
9e2136fd3943e2a3de618bac9ebcfcdcfdec2da7

SHA256
fb40240055a28e05e9f0fca1b020d7769ea2817d50e2f0d8373a2ba990890aa9

SHA512
a34280dbe0bb0027a87c715c8ee547078baaa02ba7b23185a069e537ba7f8c5b0dfc6510af021b10c60705f605223e7e8cc0b3268ef341ffb357f7804b9cb4ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
903d6a61845afeb790ef65cc296777c3

SHA1
9c61c3bda4b9e0f99b18c3d6647225c5c3bb2422

SHA256
31deead42b77b4077c749863287248621a7e090119aba30fc9a915fef857fbc6

SHA512
dae2ff608157c54aafe8bfaaaa5a610998f1e299c77c076a17f6d1bcd0690ab8420017b832288aa7bc079d7372bf3642cfdeef9aebe373e168002ec4493fab6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
34dd4aa93fdc1a030890ab6dd5aed5dd

SHA1
5f0b90fa4bd16aada92dcd0070f11653583781e1

SHA256
b4033aabf5332fc0f824497e0d3a74f6fe7a0b96212b3697a59ec23cec7077cd

SHA512
d769950e916ae7241d12822c788302254403420f9de8838c761a303483f3a19153ad1765a59f74680ec04de5ade63e97ab571c9bee01d9059e2dac89c787557e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1e4ed4a50489e7fc6c3ce17686a7cd94

SHA1
eac4e98e46efc880605a23a632e68e2c778613e7

SHA256
fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a

SHA512
5c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8ff8bdd04a2da5ef5d4b6a687da23156

SHA1
247873c114f3cc780c3adb0f844fc0bb2b440b6d

SHA256
09b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae

SHA512
5633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041
Filesize
62KB

MD5
5f5c6cdcde1ba34673154d877002d8d7

SHA1
3cc4237f20530c28344da331e067641d89d90092

SHA256
9aa4b3805834280aa43e3c00c032265d60d4537a36cff4d2b8b1a5e722751fac

SHA512
5c5e4798b781baa953445daca960d16fd7dada8f25f85eef22bb97648b6e60784f539e75b9177c571d27b51062e77a40e373d77c3f40447591be3681da4ccdb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042
Filesize
31KB

MD5
7ad7f8b226329acba12aab120767031a

SHA1
1700a9c957a574aef1e80ae5a9b8de0e00f64295

SHA256
e780b4f5e426db26bb37add473fb6e21dd07a3bb2667be7068d39e18ba6d4906

SHA512
2039e35310ac7b98795e406407a417b210198ca01fd9a65a9d6cef778efa2f39d4daf7a669dad10bda62c54394183eb94d1f17afc3376589011938fc493f80fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
98926fbe670ce1d05e77b5f3147bd397

SHA1
f3f2c05da9bbc259995db9b28222ed67f3eccae4

SHA256
9589625271749a7b644cc58c852ceb1452502c21ff000f7983dffa45a5e986c5

SHA512
82f588eaa47f38075696c7af0356c113f62d52826d96b0e53ae8e8546db42f6ca63f20d01236f8ed96e807d4f987e16f4c9cfb4d4195c7a7b9b1db8b3d293efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
51e84222a37008b83ffa6489c9505f78

SHA1
10b268dffa2b638e08decd022cbf07b830df76e7

SHA256
a6fbfc7ed088ff88611f251626071840ef6a37bce1883238f38ac106fcaeb74d

SHA512
1ccf61288fdf2f26bd8026b53b1ee2756f41109867f7930eb39a676c0bfa973bdac05b57389878f02a08f033a8d4a07b68987525db66091cd9949f270bf2d6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
10KB

MD5
10d0b01ccfcff57d7ab832b6f2a90f02

SHA1
9e68e2ca1f58b08b45a9dcca89205dfd1cb95c0e

SHA256
9f54e75f5a294c1301070681a02041e878f24db06064548fbc51a6b95c4b8f0d

SHA512
5cc18531d475299f5679425128a9fbdcce486600518ba840e08a9c7d0585f8879179518170631ee2785729bb3132448a35f769826c54abf7033aaf91b419f398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
9KB

MD5
7f178292e31ce4dbce0e422126d5d75f

SHA1
654c6b9768bb3d0bb440b73e7fe4648c0940b45e

SHA256
5bc92b85ded3d4a17abcf90db925e92f99fb698354de2a7fe7e59f09630cfc75

SHA512
e397759adb17687d89678e4600fb1ec73f2d42609fc758ba42e1b700ef4f1d483b104bc7e7c31cad9b1f4030bb5b88ddb1752b1271bbafba0985d7e7f6211eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
52294ffd49e4e04babd341adaeeb3e2f

SHA1
7bdf5d32c9b10ffefd6e6424313dabe02605178d

SHA256
f76a31e2412709deecce30c371965ff1a02f258933201a43fb318a9ba3b53219

SHA512
d9fdfe5ae7df387924d04dbaf34477e41a2276bccd5f598c9145b998924991ca535fedf968d7efac1bc0a8b42af178c0792f1b4f78e0fcd8eca3cb0514b9917c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
f86239d55b1adb36e8d6d6cdb8a3483b

SHA1
e8fd50f5c3ad6b52199a7a0622372047576a9761

SHA256
79e8a4b29c0320bd9a9a0403b7b3fe5353c7f5bea3f08e8f1d93f0c446e8b7e6

SHA512
eacc5440f3a252ecb4c02ff9fd7f44630c023e86acd3f8d08742e9e6ac32383f012df4600c6ede5550169586fded6b5245f1f92b1ff902b7b2d840d8a51b7e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0091a0fd6fd4d947b943d604f79e702e

SHA1
0a2eeab1b023fbc14ccd88703a24096783d22eab

SHA256
920b09124c032cd39aab6f20fc1700613366aa2d929c4f304488175b4860f4d9

SHA512
28c133222022e1d02a620a3772157f23a1ffd2c07556816d067984cfe335aed632d3207186d1f6c4a0ed925e492165686047a888e360377df96113f18fa96f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
fa7fa0e903b4c43346126062ce060bdd

SHA1
afe610e8bdb8a40fd3d29b19e719265e9669bbe1

SHA256
ea4ea55a5616600ee3cd65481c7ca0e621677bc776ab22968eb829252c3a0765

SHA512
db4efa23bace41dfe753b41a48ac2ec5a186757ded2b94496f6ec98f5e551aebd8453925d45ad88abcef7616b4c15e9c750c09c63986e35c435ceb7ccf072a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
83e27ddd437be17cc9feb8f18a786aef

SHA1
650a0420eae6b5917816a6fa593200e2ba0536f7

SHA256
40424cc9c817ec1a0735bec090fd630a75806b03aad34cda37389b063b32d490

SHA512
9074ba47ba2ee15d40f1ad27bf65c563b0a9180cfaf160a9d6a72e0eb38138023e9737924c814bb3e4aeb59781af8f3dfad2cdcfa102ef0593dcee73c99be235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
453c29503416327adffde7bec937e070

SHA1
a7ea389a8bc6a6221ba96590b48fd6c30adc941f

SHA256
d967d1086269aedc11fa367db7a6f48369e0834565362270448a259bafa32231

SHA512
f4de7cb24075fe7f72f1cd859991124cf9f50e615ee78fecb2b3690b10192478f4d7ee842c383d802a83e5b81c89104ee305d3c3fdec5d6a9d4b13f157ad4ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585ba8.TMP
Filesize
2KB

MD5
14e6e19e8f8e204a38fab37e8bf1b1dc

SHA1
7362d6a1f7deecc3b5bbe829730047ea11087b74

SHA256
f6e64f6a35ee98437b791f5342def46a533c412896a49fa1b11c53bb4013c90b

SHA512
600fc2b164f34108a30eeca8770ca37630b942422f52baf78fec7180350693db76ebf7c58befa4d8e95b02d7cbe2ed2810b562669f8b6bacd3eaa5e32998f68e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
a18f44dbb585f681780a0107fe20aa81

SHA1
5988ada54fd81786d720e7b66723192b16a0498f

SHA256
befb630dc9eb141ea5765079282bf49a6450afcdd14a2de987742034c59b8b0f

SHA512
0d6976b6aed6eebad02df3e1643daa5fed758d5e2d9af3bb6975bda5f7aa279d7ffda7e3285756a49790bf87594c70619c545dcd4cf6dd092b3356108e3a2bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f110c9a3238f66386d702f1044b5e2e3

SHA1
3774968dc7a498baaf981508eaa3dd993a7b36ab

SHA256
5c58dc8beba055141324be9d4bd2c4e7e38b05bfb1d902b820f395e07cacdd11

SHA512
8f8d4eb0d8118139395be59012b104c481946d3fd19f3bcf973c66e5b8e6dc25df26c30047365d45780944c21872d4f1a72fd5c6e5c4b6d325c62971f4fa0c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3mfyy4de.exe
Filesize
1.9MB

MD5
ea5cabafceaa04e8fe15af9248c2d24c

SHA1
e6a4b0d2831b80cfbc22e19fb240648114a777bd

SHA256
023c6e3b3c1c9a45d09bcfd5eb03241c3ce0b5dcd9f9a25946aa24196ed16d9f

SHA512
8b9b2244bdaba9d97a4a8d57fe0135867d2396d110a82f37b841eed55ccee065b72546a6da7aa3d1f194e33f92761bad295e1216ebbe56f83479ad35a9970498

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
Filesize
27.5MB

MD5
d2272f3869d5b634f656047968c25ae6

SHA1
453c6ffa6ec3a0a25ae59a1b58a0d18b023edb16

SHA256
d89a2423da3704108861f190e1633d2100ecc30b4c40bd835ce54a6934887bc9

SHA512
41072ef6f382cf6d4d97ebc2a49a50a9bd41b53508a8586fd8d018e86aed135e8ac2cdd16bbf725e4f74f14ecfcf49789d3af8924b6d5dfa6b94dc6bf79a0785

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
Filesize
44KB

MD5
3a4f5d7e47b0b415e1e30257c42f4eb4

SHA1
68f8a1b862f12cbebb783794eb42d5e6710085e2

SHA256
925defafd24e8f9d8540b07823baee2848812f6d6bc5e1d3969e63c05f2f01ce

SHA512
6d42172ac28162896fc7aaa0172ca7d43cb661cbe0588c4af30ecf95c5c3abc061c9830e203c095f547aaadc3b5fc3ef54c73882fa830fe7ab4d333b451dbd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
67KB

MD5
7d5d3e2fcfa5ff53f5ae075ed4327b18

SHA1
3905104d8f7ba88b3b34f4997f3948b3183953f6

SHA256
e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4

SHA512
e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egv1wgif.htu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\Microsoft.Win32.TaskScheduler.dll
Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\RAVEndPointProtection-installer.exe
Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\rsAtom.dll
Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\rsJSON.dll
Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\rsLogger.dll
Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\rsStubLib.dll
Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\rsSyncSvc.exe
Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\4a82467a\417adc6e_2a99da01\rsAtom.DLL
Filesize
158KB

MD5
875e26eb233dbf556ddb71f1c4d89bb6

SHA1
62b5816d65db3de8b8b253a37412c02e9f46b0f9

SHA256
e62ac7163d7d48504992cd284630c8f94115c3718d60340ad9bb7ee5dd115b35

SHA512
54fdc659157667df4272ac11048f239101cb12b39b2bf049ef552b4e0ce3998ff627bf763e75b5c69cc0d4ef116bfe9043c9a22f2d923dbedddacf397e621035

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\64539d1f\d53ee16e_2a99da01\rsJSON.DLL
Filesize
219KB

MD5
d43100225a3f78936ca012047a215559

SHA1
c68013c5f929fe098a57870553c3204fd9617904

SHA256
cc5ea6c9c8a14c48a20715b6b3631cbf42f73b41b87d1fbb0462738ff80dc01a

SHA512
9633992a07ea61a9d7acd0723dbd715dbd384e01e268131df0534bcdfcd92f12e3decc76aa870ea4786314c0b939b41c5f9e591a18c4d9d0bad069f30acd833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\72167474\d53ee16e_2a99da01\rsLogger.DLL
Filesize
179KB

MD5
b279550f2557481ae48e257f0964ae29

SHA1
53bef04258321ca30a6d36a7d3523032e3087a3e

SHA256
13fe4a20114cdf8cd3bba42eeaabe8d49be0b03eec423f530c890463014ccaaa

SHA512
f603cbac1f55ad4de7a561a1d9c27e33e36de00f09a18ff956456afec958f3e777277db74f0b25c6467e765d39175aa4fcdd38e87a3d666b608d983acb9321cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\b2aedf8f\d53ee16e_2a99da01\rsServiceController.DLL
Filesize
174KB

MD5
d0779008ba2dc5aba2393f95435a6e8d

SHA1
14ccd0d7b6128cf11c58f15918b2598c5fefe503

SHA256
e74a387b85ee4346b983630b571d241749224d51b81b607f88f6f77559f9cb05

SHA512
931edd82977e9a58c6669287b38c1b782736574db88dad0cc6e0d722c6e810822b3cbe5689647a8a6f2b3692d0c348eb063e17abfa5580a66b17552c30176426

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD474.tmp\uninstall.ico
Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD463.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 808989.crdownload
Filesize
3.3MB

MD5
7c2e5ef59e9589422bcd5bf3726fbcb1

SHA1
c4dac6966ac4cd3500d6a7fe44138a0db639d507

SHA256
6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd

SHA512
28870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
23KB

MD5
373ee19ed8730e51b6358b0fe6bf219e

SHA1
6549826a6f9fef49f29abbef2af719155580fd1c

SHA256
f356d706a97e9e3fc59113b34d3c7cd994cb3fcc446251fd3557a5d779350c7d

SHA512
975bfd5d207a37198cbf97d7458c885a9c4a8cdec920033208062942496f7d4b3e0f830cffe5e413a049fec6d86d0261639428886f05053dd9cf878a624a941b

Download Submit
\??\pipe\LOCAL\crashpad_3356_GZPRSJGWJZMLUHVZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/944-584-0x000002222F060000-0x000002222F588000-memory.dmp

Filesize
5.2MB

Download
memory/944-579-0x0000022214570000-0x0000022214578000-memory.dmp

Filesize
32KB

Download
memory/3380-3676-0x0000024E6ECE0000-0x0000024E6ED1A000-memory.dmp

Filesize
232KB

Download
memory/3380-3711-0x0000024E6ECD0000-0x0000024E6ED00000-memory.dmp

Filesize
192KB

Download
memory/3380-679-0x0000024E6E7A0000-0x0000024E6E7F8000-memory.dmp

Filesize
352KB

Download
memory/3380-3738-0x0000024E6ED90000-0x0000024E6EDBA000-memory.dmp

Filesize
168KB

Download
memory/3380-3776-0x0000024E6EE70000-0x0000024E6EE9E000-memory.dmp

Filesize
184KB

Download
memory/3380-674-0x0000024E6E5F0000-0x0000024E6E61A000-memory.dmp

Filesize
168KB

Download
memory/3380-672-0x0000024E6E630000-0x0000024E6E66A000-memory.dmp

Filesize
232KB

Download
memory/3380-670-0x0000024E55C30000-0x0000024E55C60000-memory.dmp

Filesize
192KB

Download
memory/3380-666-0x0000024E53EF0000-0x0000024E53F78000-memory.dmp

Filesize
544KB

Download
memory/3380-668-0x0000024E545B0000-0x0000024E545F0000-memory.dmp

Filesize
256KB

Download
memory/3380-3188-0x0000024E6EC50000-0x0000024E6ECA0000-memory.dmp

Filesize
320KB

Download
memory/3400-4168-0x0000000007430000-0x0000000007441000-memory.dmp

Filesize
68KB

Download
memory/3400-4157-0x000000006DB00000-0x000000006DB4C000-memory.dmp

Filesize
304KB

Download
memory/5616-430-0x0000000073320000-0x0000000073334000-memory.dmp

Filesize
80KB

Download
memory/5616-429-0x0000000005CD0000-0x0000000005CE4000-memory.dmp

Filesize
80KB

Download
memory/5616-431-0x0000000008590000-0x0000000008B36000-memory.dmp

Filesize
5.6MB

Download
memory/5616-432-0x0000000008080000-0x0000000008112000-memory.dmp

Filesize
584KB

Download
memory/5616-436-0x0000000009BB0000-0x000000000A0DC000-memory.dmp

Filesize
5.2MB

Download
memory/5616-433-0x0000000009490000-0x00000000094D4000-memory.dmp

Filesize
272KB

Download
memory/5616-435-0x0000000009610000-0x0000000009676000-memory.dmp

Filesize
408KB

Download
memory/5616-442-0x0000000005CF0000-0x0000000005CFA000-memory.dmp

Filesize
40KB

Download
memory/5616-434-0x0000000009570000-0x000000000960C000-memory.dmp

Filesize
624KB

Download
memory/6172-4082-0x000002024CB40000-0x000002024CEA6000-memory.dmp

Filesize
3.4MB

Download
memory/6172-4085-0x000002024C950000-0x000002024CACC000-memory.dmp

Filesize
1.5MB

Download
memory/6172-4086-0x0000020233EF0000-0x0000020233F0A000-memory.dmp

Filesize
104KB

Download
memory/6172-4087-0x0000020233F60000-0x0000020233F82000-memory.dmp

Filesize
136KB

Download
memory/6724-4126-0x0000000007760000-0x000000000776A000-memory.dmp

Filesize
40KB

Download
memory/6724-4061-0x0000000002C90000-0x0000000002CC6000-memory.dmp

Filesize
216KB

Download
memory/6724-4062-0x0000000005850000-0x0000000005E7A000-memory.dmp

Filesize
6.2MB

Download
memory/6724-4063-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/6724-4065-0x0000000005EF0000-0x0000000006247000-memory.dmp

Filesize
3.3MB

Download
memory/6724-4064-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/6724-4084-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/6724-4088-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/6724-4102-0x000000006DB00000-0x000000006DB4C000-memory.dmp

Filesize
304KB

Download
memory/6724-4111-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/6724-4101-0x00000000075D0000-0x0000000007604000-memory.dmp

Filesize
208KB

Download
memory/6724-4112-0x0000000007610000-0x00000000076B4000-memory.dmp

Filesize
656KB

Download
memory/6724-4116-0x0000000007D40000-0x00000000083BA000-memory.dmp

Filesize
6.5MB

Download
memory/6724-4117-0x00000000076E0000-0x00000000076FA000-memory.dmp

Filesize
104KB

Download
memory/6724-4131-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/6724-4132-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/6724-4139-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/6724-4138-0x0000000007930000-0x000000000793E000-memory.dmp

Filesize
56KB

Download
memory/6740-1837-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1207-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1817-0x00007FF6EC1E0000-0x00007FF6EC1F0000-memory.dmp

Filesize
64KB

Download
memory/6740-1818-0x00007FF6EC1E0000-0x00007FF6EC1F0000-memory.dmp

Filesize
64KB

Download
memory/6740-1824-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1823-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1829-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1830-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1858-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1832-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1833-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1845-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1849-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1843-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-917-0x00007FF6EC1E0000-0x00007FF6EC1F0000-memory.dmp

Filesize
64KB

Download
memory/6740-1050-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1844-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1026-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1318-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1841-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1842-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1838-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1835-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1819-0x00007FF6EC1E0000-0x00007FF6EC1F0000-memory.dmp

Filesize
64KB

Download
memory/6740-1820-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1815-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-942-0x00007FF6EC1E0000-0x00007FF6EC1F0000-memory.dmp

Filesize
64KB

Download
memory/6740-984-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1000-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1040-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1048-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1061-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1075-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1077-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1094-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1120-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1142-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1149-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1151-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-955-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-965-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-981-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-986-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-987-0x00007FF6D5B20000-0x00007FF6D5B30000-memory.dmp

Filesize
64KB

Download
memory/6740-1099-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1110-0x00007FF689050000-0x00007FF689060000-memory.dmp

Filesize
64KB

Download
memory/6740-1112-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1135-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1177-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1424-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1182-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1200-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1816-0x00007FF6EC1E0000-0x00007FF6EC1F0000-memory.dmp

Filesize
64KB

Download
memory/6740-1214-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1221-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1235-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1245-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1296-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1326-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1332-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1335-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1337-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6740-1409-0x00007FF6E33F0000-0x00007FF6E3400000-memory.dmp

Filesize
64KB

Download
memory/6740-1525-0x00007FF6ED620000-0x00007FF6ED630000-memory.dmp

Filesize
64KB

Download
memory/6800-4025-0x000001396BEE0000-0x000001396BF1C000-memory.dmp

Filesize
240KB

Download
memory/6800-4024-0x000001396BD60000-0x000001396BD72000-memory.dmp

Filesize
72KB

Download
memory/6800-4011-0x000001396B8E0000-0x000001396B90E000-memory.dmp

Filesize
184KB

Download
memory/6800-4010-0x000001396B8E0000-0x000001396B90E000-memory.dmp

Filesize
184KB

Download
memory/7752-4180-0x000000006DB00000-0x000000006DB4C000-memory.dmp

Filesize
304KB

Download