cobaltstrike | 6ae4f439c7bb84942e3f3f17b7bb3ba48cee214832b28a38b2f29a985b054cc5

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6028	takeown.exe
6152	icacls.exe
3124	takeown.exe
1140	icacls.exe
6268	takeown.exe
6336	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	rsEngineSvc.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023c99-4143.dat	autoit_exe
behavioral2/files/0x000a000000023c8c-4137.dat	autoit_exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	rsStubActivator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	UIHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	rsAppUI.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_C33468BC5883F8C26A2F912726D45EFA	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0FD7C8CB35A5508C225BD37696B3744C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_C33468BC5883F8C26A2F912726D45EFA	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_C4502B2ED7ABD16FF1FA41F55DB2B363	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_C4502B2ED7ABD16FF1FA41F55DB2B363	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FC68FB72D4FBC7E0F151BC2282D75E47_367FA2447481C3DB640CE44BE2E5A181	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0FD7C8CB35A5508C225BD37696B3744C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A3D5BF1283C2E63D8C8A8C72F0051F5A	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FA	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_30B4D916E12169D9CB0BC7A11DE46EA6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_686A447EF0220EBC1D36EF897F31F606	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC68FB72D4FBC7E0F151BC2282D75E47_367FA2447481C3DB640CE44BE2E5A181	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FA	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_686A447EF0220EBC1D36EF897F31F606	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_30B4D916E12169D9CB0BC7A11DE46EA6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5A	rsEngineSvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\regsvr32_x86.exe	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-da-DK.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp200799599\jslang\wa-res-shared-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\about-icon.png	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp200799599\jslang\eula-sk-SK.txt	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp200799599\jslang\wa-res-install-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\Temp200799599\jslang\wa-res-install-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-ko-KR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp200799599\jslang\wa-res-install-zh-TW.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File opened for modification	C:\Program Files\McAfee\Temp200799599\icon_complete.png	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp200799599\jslang\eula-da-DK.txt	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-zh-CN.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ldplayer9box\fastpipe.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\subdb.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-oem-ss-toast-variants-step1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\Temp200799599\jslang\eula-hu-HU.txt	installer.exe
File created	C:\Program Files\McAfee\Temp200799599\jslang\wa-res-shared-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\aj_toasts\wa-aj-toast-checkbox.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\mcutil.js	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Temp200799599\jslang\eula-fr-FR.txt	installer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\msac.ico	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-ko-KR.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\logger.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-pt-PT.js	installer.exe
File created	C:\Program Files\ldplayer9box\comregister.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\enable_ext_guide_ss.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\keep_changes_guide.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\Temp200799599\browserplugin.cab	installer.exe
File created	C:\Program Files\McAfee\Temp200799599\jslang\eula-tr-TR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\close_icon.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\checklisthandler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\settings-close.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-en-US.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ldplayer9box\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\msspstatus.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_install_error.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\inst-noxup.gif	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\wa-common.css	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp200799599\wa-core.js	installer.exe
File created	C:\Program Files\ldplayer9box\x86\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\concrt140.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe

Executes dropped EXE 40 IoCs

pid	Process
3384	saBSI.exe
4480	rsStubActivator.exe
724	akwfscug.exe
464	RAVEndPointProtection-installer.exe
4232	rsSyncSvc.exe
4404	rsSyncSvc.exe
4860	LDPlayer.exe
60	installer.exe
4836	installer.exe
3216	dnrepairer.exe
6740	ServiceHost.exe
2372	UIHost.exe
1400	dismhost.exe
8104	updater.exe
1140	Ld9BoxSVC.exe
6156	rsWSC.exe
4732	rsWSC.exe
2120	rsClientSvc.exe
7184	rsClientSvc.exe
7208	rsEngineSvc.exe
7684	rsEngineSvc.exe
5956	driverconfig.exe
6076	rsHelper.exe
1400	EPP.exe
6580	rsAppUI.exe
7400	rsAppUI.exe
5612	rsAppUI.exe
7612	rsAppUI.exe
7768	rsAppUI.exe
640	rsLitmus.A.exe
4556	dnplayer.exe
2644	Ld9BoxSVC.exe
1100	vbox-img.exe
6648	vbox-img.exe
6736	vbox-img.exe
5744	Ld9BoxHeadless.exe
2776	Ld9BoxHeadless.exe
4124	Ld9BoxHeadless.exe
5484	Ld9BoxHeadless.exe
6900	Ld9BoxHeadless.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7544	sc.exe
7644	sc.exe
7740	sc.exe
6908	sc.exe
5132	sc.exe
1916	sc.exe
6564	sc.exe
4080	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
724	akwfscug.exe
3216	dnrepairer.exe
3216	dnrepairer.exe
3216	dnrepairer.exe
5188	regsvr32.exe
5272	regsvr32.exe
464	RAVEndPointProtection-installer.exe
6740	ServiceHost.exe
5448	regsvr32.exe
6740	ServiceHost.exe
6740	ServiceHost.exe
6740	ServiceHost.exe
6740	ServiceHost.exe
6740	ServiceHost.exe
5656	regsvr32.exe
2372	UIHost.exe
2372	UIHost.exe
6740	ServiceHost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
1400	dismhost.exe
464	RAVEndPointProtection-installer.exe
1140	Ld9BoxSVC.exe
1140	Ld9BoxSVC.exe
1140	Ld9BoxSVC.exe
1140	Ld9BoxSVC.exe
1140	Ld9BoxSVC.exe
1140	Ld9BoxSVC.exe
1140	Ld9BoxSVC.exe
1140	Ld9BoxSVC.exe
6508	regsvr32.exe
6508	regsvr32.exe
6508	regsvr32.exe
6508	regsvr32.exe
6508	regsvr32.exe
6508	regsvr32.exe
6508	regsvr32.exe
6508	regsvr32.exe
6620	regsvr32.exe
6620	regsvr32.exe
6620	regsvr32.exe
6620	regsvr32.exe
6620	regsvr32.exe
6620	regsvr32.exe
6620	regsvr32.exe

Registers COM server for autorun 1 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1344	taskkill.exe
4732	taskkill.exe
1632	taskkill.exe
1004	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\ = "IMachine"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7966-481D-AB0B-D0ED73E28135}\ = "IVirtualBoxErrorInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods\ = "25"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}\NumMethods\ = "37"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\ = "IInternalProgressControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1207-4179-94CF-CA250036308F}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\ = "ICloudNetwork"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\ = "IProgressTaskCompletedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}\NumMethods\ = "37"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}\NumMethods\ = "16"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C380-4510-BC7C-19314A7352F1}\NumMethods\ = "21"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04d0-4db6-8d66-dc2f033120e1}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA}\ = "IProcess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\NumMethods\ = "22"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ = "INATNetworkCreationDeletionEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7193-426C-A41F-522E8F537FA0}\NumMethods\ = "83"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E1B7-4339-A549-F0878115596E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-057D-4391-B928-F14B06B710C5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1207-4179-94CF-CA250036308F}\NumMethods\ = "17"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\NumMethods\ = "25"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8384-11E9-921D-8B984E28A686}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41f9-bd74-3ef5fd653250}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E87-11E9-8AF2-576E84223953}\NumMethods\ = "36"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1BCF-4218-9807-04E036CC70F1}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\ = "IGuestOSType"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\NumMethods	regsvr32.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	rsEngineSvc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
3384	saBSI.exe
3384	saBSI.exe
3384	saBSI.exe
3384	saBSI.exe
3384	saBSI.exe
3384	saBSI.exe
3384	saBSI.exe
3384	saBSI.exe
3384	saBSI.exe
3384	saBSI.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
1124	LDPlayer9_es_1009_ld.exe
4860	LDPlayer.exe
4860	LDPlayer.exe
4860	LDPlayer.exe
4860	LDPlayer.exe
4860	LDPlayer.exe
4860	LDPlayer.exe
4860	LDPlayer.exe
4860	LDPlayer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
464	RAVEndPointProtection-installer.exe
6740	ServiceHost.exe
6740	ServiceHost.exe
6740	ServiceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4556	dnplayer.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
6384	fltmc.exe
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	LDPlayer9_es_1009_ld.exe
Token: SeShutdownPrivilege	1124	LDPlayer9_es_1009_ld.exe
Token: SeCreatePagefilePrivilege	1124	LDPlayer9_es_1009_ld.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	4480	rsStubActivator.exe
Token: SeDebugPrivilege	464	RAVEndPointProtection-installer.exe
Token: SeShutdownPrivilege	464	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	464	RAVEndPointProtection-installer.exe
Token: SeTakeOwnershipPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe
Token: SeDebugPrivilege	4860	LDPlayer.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
4556	dnplayer.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
6580	rsAppUI.exe
4556	dnplayer.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1004	1124	LDPlayer9_es_1009_ld.exe	113
PID 1124 wrote to memory of 1004	1124	LDPlayer9_es_1009_ld.exe	113
PID 1124 wrote to memory of 1004	1124	LDPlayer9_es_1009_ld.exe	113
PID 1124 wrote to memory of 1344	1124	LDPlayer9_es_1009_ld.exe	116
PID 1124 wrote to memory of 1344	1124	LDPlayer9_es_1009_ld.exe	116
PID 1124 wrote to memory of 1344	1124	LDPlayer9_es_1009_ld.exe	116
PID 1124 wrote to memory of 4732	1124	LDPlayer9_es_1009_ld.exe	118
PID 1124 wrote to memory of 4732	1124	LDPlayer9_es_1009_ld.exe	118
PID 1124 wrote to memory of 4732	1124	LDPlayer9_es_1009_ld.exe	118
PID 1124 wrote to memory of 1632	1124	LDPlayer9_es_1009_ld.exe	120
PID 1124 wrote to memory of 1632	1124	LDPlayer9_es_1009_ld.exe	120
PID 1124 wrote to memory of 1632	1124	LDPlayer9_es_1009_ld.exe	120
PID 4480 wrote to memory of 724	4480	rsStubActivator.exe	125
PID 4480 wrote to memory of 724	4480	rsStubActivator.exe	125
PID 4480 wrote to memory of 724	4480	rsStubActivator.exe	125
PID 724 wrote to memory of 464	724	akwfscug.exe	126
PID 724 wrote to memory of 464	724	akwfscug.exe	126
PID 464 wrote to memory of 4232	464	RAVEndPointProtection-installer.exe	127
PID 464 wrote to memory of 4232	464	RAVEndPointProtection-installer.exe	127
PID 1124 wrote to memory of 4860	1124	LDPlayer9_es_1009_ld.exe	124
PID 1124 wrote to memory of 4860	1124	LDPlayer9_es_1009_ld.exe	124
PID 1124 wrote to memory of 4860	1124	LDPlayer9_es_1009_ld.exe	124
PID 3384 wrote to memory of 60	3384	saBSI.exe	132
PID 3384 wrote to memory of 60	3384	saBSI.exe	132
PID 60 wrote to memory of 4836	60	installer.exe	133
PID 60 wrote to memory of 4836	60	installer.exe	133
PID 4860 wrote to memory of 3216	4860	LDPlayer.exe	134
PID 4860 wrote to memory of 3216	4860	LDPlayer.exe	134
PID 4860 wrote to memory of 3216	4860	LDPlayer.exe	134
PID 3216 wrote to memory of 2328	3216	dnrepairer.exe	135
PID 3216 wrote to memory of 2328	3216	dnrepairer.exe	135
PID 3216 wrote to memory of 2328	3216	dnrepairer.exe	135
PID 4836 wrote to memory of 1764	4836	installer.exe	137
PID 4836 wrote to memory of 1764	4836	installer.exe	137
PID 1764 wrote to memory of 5188	1764	regsvr32.exe	138
PID 1764 wrote to memory of 5188	1764	regsvr32.exe	138
PID 1764 wrote to memory of 5188	1764	regsvr32.exe	138
PID 2328 wrote to memory of 5224	2328	net.exe	139
PID 2328 wrote to memory of 5224	2328	net.exe	139
PID 2328 wrote to memory of 5224	2328	net.exe	139
PID 4836 wrote to memory of 5272	4836	installer.exe	140
PID 4836 wrote to memory of 5272	4836	installer.exe	140
PID 3216 wrote to memory of 5296	3216	dnrepairer.exe	141
PID 3216 wrote to memory of 5296	3216	dnrepairer.exe	141
PID 3216 wrote to memory of 5296	3216	dnrepairer.exe	141
PID 3216 wrote to memory of 6636	3216	dnrepairer.exe	142
PID 3216 wrote to memory of 6636	3216	dnrepairer.exe	142
PID 3216 wrote to memory of 6636	3216	dnrepairer.exe	142
PID 4836 wrote to memory of 4292	4836	installer.exe	143
PID 4836 wrote to memory of 4292	4836	installer.exe	143
PID 4292 wrote to memory of 5448	4292	regsvr32.exe	145
PID 4292 wrote to memory of 5448	4292	regsvr32.exe	145
PID 4292 wrote to memory of 5448	4292	regsvr32.exe	145
PID 3216 wrote to memory of 5476	3216	dnrepairer.exe	146
PID 3216 wrote to memory of 5476	3216	dnrepairer.exe	146
PID 3216 wrote to memory of 5476	3216	dnrepairer.exe	146
PID 3216 wrote to memory of 6876	3216	dnrepairer.exe	147
PID 3216 wrote to memory of 6876	3216	dnrepairer.exe	147
PID 3216 wrote to memory of 6876	3216	dnrepairer.exe	147
PID 4836 wrote to memory of 5656	4836	installer.exe	148
PID 4836 wrote to memory of 5656	4836	installer.exe	148
PID 3216 wrote to memory of 5748	3216	dnrepairer.exe	177
PID 3216 wrote to memory of 5748	3216	dnrepairer.exe	177
PID 3216 wrote to memory of 5748	3216	dnrepairer.exe	177

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayerex.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM bugreport.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1009 -language=es -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=852016
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        
        PID:5224
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:5296
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:6636
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      PID:6876
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      PID:5748
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      PID:180
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:4732
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3124
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1140
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6268
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6336
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\7E5BB9D6-A9C0-476D-8BF7-B9653ACE2E38\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\7E5BB9D6-A9C0-476D-8BF7-B9653ACE2E38\dismhost.exe {F5FDFE57-F0F1-4E45-92B6-AB95A2D0E8F4}
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1400
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      PID:7544
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      PID:7644
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      PID:7740
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1140
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:6508
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      PID:6620
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Registers COM server for autorun
      Modifies registry class
      PID:6284
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Modifies registry class
      PID:6452
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:6908
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      PID:5132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:7356
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:1836
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    - Executes dropped EXE
    PID:5956
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6028
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6152
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\\dnplayer.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4556
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    PID:1916
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    PID:6564
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    PID:4080
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    - Executes dropped EXE
    PID:1100
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:6648
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:6736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.ldplayer.net/blog/94.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0xb4,0x7ffbcbcd46f8,0x7ffbcbcd4708,0x7ffbcbcd4718
      4⤵
      PID:5772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      PID:3168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 /prefetch:8
      4⤵
      PID:2184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
      4⤵
      PID:5980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
      4⤵
      PID:1360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
      4⤵
      PID:1300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
      4⤵
      PID:3632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
      4⤵
      PID:1624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
      4⤵
      PID:5768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
      4⤵
      PID:3432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
      4⤵
      PID:6900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
      4⤵
      PID:7036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
      4⤵
      PID:2620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
      4⤵
      PID:7252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
      4⤵
      PID:2868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
      4⤵
      PID:6468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7784 /prefetch:1
      4⤵
      PID:8060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
      4⤵
      PID:2672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
      4⤵
      PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:1
      4⤵
      PID:1140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8720 /prefetch:1
      4⤵
      PID:5624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
      4⤵
      PID:2608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9708 /prefetch:8
      4⤵
      PID:7976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9708 /prefetch:8
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16265214323405842201,565836927946899051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:1
      4⤵
      PID:8120

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Program Files\McAfee\Temp200799599\installer.exe
    "C:\Program Files\McAfee\Temp200799599\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        5⤵
        Loads dropped DLL
        
        PID:5188
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      PID:5272
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        5⤵
        Loads dropped DLL
        
        PID:5448
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      PID:5656

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=e18d39cc9d89ea043c7ab40bcd443e1e88911d98&dit=20240503003012748&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\akwfscug.exe
  "C:\Users\Admin\AppData\Local\Temp\akwfscug.exe" /silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Users\Admin\AppData\Local\Temp\nsl5F7D.tmp\RAVEndPointProtection-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\nsl5F7D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\akwfscug.exe" /silent
    3⤵
    - Drops file in Drivers directory
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
      "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
      4⤵
      Executes dropped EXE
      PID:4232
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
      4⤵
      Adds Run key to start application
      PID:8180
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        
        PID:6340
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:5748
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
      4⤵
      PID:556
  - - C:\Windows\SYSTEM32\fltmc.exe
      "fltmc.exe" load rsKernelEngine
      4⤵
      Suspicious behavior: LoadsDriver
      PID:6384
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
      4⤵
      PID:6308
  - - C:\Program Files\ReasonLabs\EPP\rsWSC.exe
      "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
      4⤵
      Executes dropped EXE
      PID:6156
  - - C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
      "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
      4⤵
      Executes dropped EXE
      PID:2120
  - - C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
      "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:7208

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:4404

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6740
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2372
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:8104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:8120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:3048

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4732

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7184

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:7684
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  - Executes dropped EXE
  PID:6076
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  - Executes dropped EXE
  PID:1400
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6580
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2232 --field-trial-handle=2240,i,3370718572960480086,14194837132380608648,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      PID:7400
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2640 --field-trial-handle=2240,i,3370718572960480086,14194837132380608648,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      PID:5612
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2860 --field-trial-handle=2240,i,3370718572960480086,14194837132380608648,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:7612
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3844 --field-trial-handle=2240,i,3370718572960480086,14194837132380608648,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:7768
- C:\program files\reasonlabs\epp\rsLitmus.A.exe
  "C:\program files\reasonlabs\epp\rsLitmus.A.exe"
  2⤵
  - Executes dropped EXE
  PID:640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544 0x540
1⤵
PID:5916

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:2644
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5744
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5484
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:6900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery