Analysis Overview
SHA256
6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd
Threat Level: Known bad
The file LDPlayer9_ens_31815734_ld.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Manipulates Digital Signatures
Possible privilege escalation attempt
Drops file in Drivers directory
Creates new service(s)
Reads user/profile data of web browsers
Modifies file permissions
Adds Run key to start application
Drops file in System32 directory
Checks installed software on the system
Drops file in Windows directory
Loads dropped DLL
Registers COM server for autorun
Launches sc.exe
Executes dropped EXE
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates system info in registry
Modifies system certificate store
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-11 22:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 22:03
Reported
2024-05-11 22:06
Platform
win11-20240508-fr
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\rsCamFilter020502.sys | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Windows\system32\drivers\rsKernelEngine.sys | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Windows\system32\drivers\rsElam.sys | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\rsElam.sys | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\FuncName = "WVTAsn1SpcLinkDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\system32\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast-wss.png | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\new-tab-toasts.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-fr-FR.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Temp2109176641\webadvisor.cab | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\host_manager.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_tooltip_2.png | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\telemetry.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\installdate.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\x64\downloadscan.dll | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Webadvisor\Analytics\error_transmitter.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2109176641\icon_failed.png | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2109176641\wa_install_close2.png | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2109176641\jslang\wa-res-shared-sv-SE.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-el-GR.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Webadvisor\Analytics\subdb.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\settingsdb.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-nl-NL.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-el-GR.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\locale.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Temp2109176641\balloon_safe_annotation.png | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-da-DK.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Temp2109176641\jslang\wa-res-install-ko-KR.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\mwb\wb-rocket-icon.png | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-pt-BR.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-cs-CZ.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ch-store-overlay-ui.html | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-uninstall-icon.png | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-ja-JP.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-sr-Latn-CS.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\auxiliary\reset_handler.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-da-DK.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-el-GR.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\navigatedtoday.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\searchreset.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\rsBridge.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ss-toast-variants.css | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_logo2.png | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-cs-CZ.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Webadvisor\Analytics\json2.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Temp2109176641\jslang\wa-res-install-sr-Latn-CS.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Webadvisor\Analytics\events.json | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-sv-SE.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-pt-BR.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-pt-PT.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-el-GR.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-sv-SE.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\analyticscontextconfig.luc | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-nb-NO.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll | C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-en-US.js | C:\Program Files\McAfee\Temp2109176641\installer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe | N/A |
Executes dropped EXE
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\"" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\runonce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D612-47D3-89D4-DB3992533948} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\ = "IMediumIO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\NumMethods\ = "31" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20191216-9CEE-493C-B6FC-64FFE759B3C9} | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\ = "IEventSource" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\CLSID | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ = "IAudioAdapterChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}\ = "ISerialPort" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-808e-11e9-b773-133d9330f849} | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Ld9BoxSVC.exe\ | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ = "INATNetworkCreationDeletionEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ldmnq.ldbk\DefaultIcon | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-b7f1-4a5a-a4ef-a11dd9c2a458} | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0126-43E0-B05D-326E74ABB356}\ = "IMediumAttachment" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D545-44AA-8013-181B8C288554}\ = "IExtPackPlugIn" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20191216-9CEE-493C-B6FC-64FFE759B3C9}\ = "VirtualBox Application" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ = "IDnDTarget" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ = "IAudioAdapterChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\NumMethods\ = "229" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\ = "IHostNetworkInterface" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ = "IFile" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3618-4EBC-B038-833BA829B4B2} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\ = "ICursorPositionChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\ = "IPerformanceMetric" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\fltmc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=31815734 -language=en -path="C:\LDPlayer\LDPlayer9\"
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=3460721671302c939cd507900233e2947ab355fb&dit=20240511220365806&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe
"C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe" /silent
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe" /silent
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=590204
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
C:\Program Files\McAfee\Temp2109176641\installer.exe
"C:\Program Files\McAfee\Temp2109176641\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe {7AE2234D-4366-4266-B6CE-F2303F50A266}
C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\\dnplayer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004B4
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb2bb3cb8,0x7ffdb2bb3cc8,0x7ffdb2bb3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2016 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,13846560697376008871,3485917663693521272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| GB | 18.244.115.142:443 | d3n1ms4uhtqgov.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 178.32.239.216.in-addr.arpa | udp |
| GB | 216.137.34.105:443 | d1arl2thrafelv.cloudfront.net | tcp |
| GB | 216.137.34.105:443 | d1arl2thrafelv.cloudfront.net | tcp |
| GB | 143.204.194.81:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | 113.216.138.108.in-addr.arpa | udp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| US | 172.67.9.68:443 | shield.reasonsecurity.com | tcp |
| GB | 216.137.34.91:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 54.69.155.157:443 | analytics.apis.mcafee.com | tcp |
| US | 172.67.9.68:443 | shield.reasonsecurity.com | tcp |
| US | 2.18.190.79:443 | sadownload.mcafee.com | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 216.239.32.178:80 | www.google-analytics.com | tcp |
| GB | 18.154.84.26:443 | update.reasonsecurity.com | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| GB | 108.156.46.9:443 | electron-shell.reasonsecurity.com | tcp |
| US | 2.18.190.79:443 | sadownload.mcafee.com | tcp |
| BE | 104.68.84.174:443 | home.mcafee.com | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 54.69.155.157:443 | analytics.apis.mcafee.com | tcp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| GB | 99.84.9.4:443 | cdn.reasonsecurity.com | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 2.18.190.72:443 | sadownload.mcafee.com | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 54.69.155.157:443 | analytics.apis.mcafee.com | tcp |
| US | 18.211.212.102:443 | track.analytics-data.io | tcp |
| US | 54.69.155.157:443 | analytics.apis.mcafee.com | tcp |
| US | 54.69.155.157:443 | analytics.apis.mcafee.com | tcp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | cdn.ldplayer.net | udp |
| US | 8.8.8.8:53 | en.ldplayer.net | udp |
| GB | 18.245.218.125:443 | ad.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| US | 163.181.154.240:443 | www.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 240.154.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 163.181.154.215:443 | advertise.ldplayer.net | tcp |
| US | 163.181.154.220:443 | res.ldplayer.net | tcp |
| US | 163.181.154.220:443 | res.ldplayer.net | tcp |
| US | 163.181.154.220:443 | res.ldplayer.net | tcp |
| US | 163.181.154.220:443 | res.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 143.204.194.8:443 | encdn.ldmnq.com | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| US | 163.181.154.215:443 | advertise.ldplayer.net | tcp |
| GB | 18.245.218.125:443 | ad.ldplayer.net | tcp |
| GB | 142.250.179.238:80 | www.youtube.com | tcp |
| GB | 18.245.218.125:443 | ad.ldplayer.net | tcp |
| GB | 18.244.114.41:443 | alliance.ldplayer.net | tcp |
| GB | 13.224.132.14:80 | apien.ldmnq.com | tcp |
| GB | 13.224.132.14:443 | apien.ldmnq.com | tcp |
| GB | 18.245.218.125:443 | ad.ldplayer.net | tcp |
| US | 163.181.154.241:443 | www.ldplayer.net | tcp |
| US | 163.181.154.241:443 | www.ldplayer.net | tcp |
| US | 104.26.5.6:443 | cmp.setupcmp.com | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 13.224.132.14:443 | apien.ldmnq.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | udp |
| GB | 172.217.169.22:443 | i.ytimg.com | tcp |
| GB | 172.217.16.238:443 | fundingchoicesmessages.google.com | tcp |
| US | 104.18.30.49:443 | stpd.cloud | tcp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| GB | 143.204.194.66:443 | encdn.ldmnq.com | tcp |
| GB | 143.204.194.66:443 | encdn.ldmnq.com | tcp |
| GB | 143.204.194.66:443 | encdn.ldmnq.com | tcp |
| GB | 143.204.194.66:443 | encdn.ldmnq.com | tcp |
| GB | 143.204.194.66:443 | encdn.ldmnq.com | tcp |
| GB | 143.204.194.66:443 | encdn.ldmnq.com | tcp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | tcp |
| US | 104.26.5.6:443 | cmp.setupcmp.com | tcp |
| GB | 172.217.16.238:443 | fundingchoicesmessages.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | udp |
| GB | 216.58.201.110:443 | apis.google.com | udp |
| GB | 99.86.114.111:443 | apien.ldplayer.net | tcp |
| GB | 142.250.179.230:443 | static.doubleclick.net | tcp |
| SG | 8.219.223.66:443 | usersdk.ldmnq.com | tcp |
| GB | 142.250.187.194:443 | www.googletagservices.com | tcp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.114.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| SG | 8.219.223.66:443 | usersdk.ldmnq.com | tcp |
| GB | 142.250.187.225:443 | yt3.ggpht.com | tcp |
| GB | 142.250.200.10:443 | jnn-pa.googleapis.com | tcp |
| GB | 216.58.204.66:443 | securepubads.g.doubleclick.net | tcp |
| GB | 216.58.204.66:443 | securepubads.g.doubleclick.net | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| NL | 173.194.69.84:443 | accounts.google.com | tcp |
| GB | 142.250.200.10:443 | jnn-pa.googleapis.com | udp |
| GB | 216.137.44.59:443 | tagan.adlightning.com | tcp |
| GB | 54.192.139.162:443 | c.amazon-adsystem.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| NL | 173.194.69.84:443 | accounts.google.com | udp |
| GB | 18.245.253.93:443 | d3div1mtym39ic.cloudfront.net | tcp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| GB | 108.156.39.27:443 | config.aps.amazon-adsystem.com | tcp |
| GB | 18.245.189.34:443 | aax.amazon-adsystem.com | tcp |
| US | 172.67.38.106:443 | cdn.id5-sync.com | tcp |
| FR | 23.51.100.75:443 | secure.cdn.fastclick.net | tcp |
| FR | 23.51.100.75:443 | secure.cdn.fastclick.net | tcp |
| US | 104.22.52.173:443 | cdn.hadronid.net | tcp |
| GB | 18.245.143.83:443 | tags.crwdcntrl.net | tcp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.69.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.44.137.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.139.192.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.253.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.189.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.38.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.143.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.52.22.104.in-addr.arpa | udp |
| IE | 54.77.42.245:443 | bcp.crwdcntrl.net | tcp |
| US | 172.67.23.234:443 | id.hadron.ad.gt | tcp |
| US | 172.67.23.234:443 | id.hadron.ad.gt | tcp |
| NL | 63.215.202.178:443 | proc.ad.cpe.dotomi.com | tcp |
| GB | 143.204.176.119:443 | ldcdn.ldmnq.com | tcp |
| GB | 18.245.218.125:443 | ad.ldplayer.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 141.95.33.120:443 | lb.eu-1-id5-sync.com | tcp |
| DE | 141.95.33.120:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | adx.adform.net | udp |
| US | 8.8.8.8:53 | prebid.a-mo.net | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| DE | 141.95.98.64:443 | lb.eu-1-id5-sync.com | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| NL | 178.250.1.8:443 | bidder.criteo.com | tcp |
| US | 104.26.9.178:443 | prebid-stag.setupad.net | tcp |
| US | 104.26.9.178:443 | prebid-stag.setupad.net | tcp |
| NL | 185.106.140.18:443 | rtb.adxpremium.services | tcp |
| US | 104.18.34.178:443 | mp.4dex.io | tcp |
| US | 35.227.252.103:443 | rtb.openx.net | tcp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | tcp |
| FR | 5.135.209.96:443 | prg.smartadserver.com | tcp |
| DK | 37.157.3.26:443 | adx.adform.net | tcp |
| NL | 145.40.97.67:443 | prebid.a-mo.net | tcp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 104.18.22.145:443 | cadmus.script.ac | tcp |
| US | 8.8.8.8:53 | 33.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.98.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.140.106.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.209.135.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.97.40.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.3.157.37.in-addr.arpa | udp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| NL | 89.149.192.244:443 | ssbsync-global.smartadserver.com | tcp |
| NL | 193.3.178.4:443 | ads.us.e-planning.net | tcp |
| GB | 216.58.204.66:443 | securepubads.g.doubleclick.net | udp |
| GB | 142.250.180.1:443 | 8a160410f936b8e2800c42326524c6fe.safeframe.googlesyndication.com | tcp |
| DK | 37.157.5.132:443 | cm.adform.net | tcp |
| US | 35.244.159.8:443 | u.openx.net | tcp |
| US | 35.244.159.8:443 | u.openx.net | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | 7d5d3e2fcfa5ff53f5ae075ed4327b18 |
| SHA1 | 3905104d8f7ba88b3b34f4997f3948b3183953f6 |
| SHA256 | e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4 |
| SHA512 | e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589 |
memory/3284-12-0x0000000005370000-0x0000000005380000-memory.dmp
memory/3284-13-0x00000000734DE000-0x00000000734DF000-memory.dmp
memory/3284-17-0x0000000004DD0000-0x0000000004DE4000-memory.dmp
memory/3284-18-0x0000000073E40000-0x0000000073E54000-memory.dmp
memory/3284-19-0x0000000007DA0000-0x0000000008346000-memory.dmp
memory/3284-20-0x0000000007890000-0x0000000007922000-memory.dmp
memory/3284-21-0x0000000008D20000-0x0000000008D64000-memory.dmp
memory/3284-22-0x0000000008E10000-0x0000000008EAC000-memory.dmp
memory/3284-23-0x0000000008EB0000-0x0000000008F16000-memory.dmp
memory/3284-24-0x0000000009450000-0x000000000997C000-memory.dmp
memory/3284-25-0x0000000007B80000-0x0000000007B8A000-memory.dmp
memory/3284-26-0x00000000734D0000-0x0000000073C81000-memory.dmp
memory/3284-27-0x00000000734D0000-0x0000000073C81000-memory.dmp
memory/3284-39-0x0000000005370000-0x0000000005380000-memory.dmp
memory/3284-40-0x00000000734DE000-0x00000000734DF000-memory.dmp
memory/3284-41-0x00000000734D0000-0x0000000073C81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
| MD5 | 143255618462a577de27286a272584e1 |
| SHA1 | efc032a6822bc57bcd0c9662a6a062be45f11acb |
| SHA256 | f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4 |
| SHA512 | c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9 |
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
| MD5 | aa213bbfa2c9ef99070fba913836588b |
| SHA1 | b4598529597d5eb8ab50a6e2fa1e568005ce0eb7 |
| SHA256 | 0fffbc03b7ae25e16a7a995791e6bad6c38720efd37d5b12c9a5ae5e2c78e682 |
| SHA512 | 2139ca9646025e7454d259f584812bcba3a563658bdbee960f6addc8e6b994ed60422c441d334be9d98e29020941c351eb80ade2fb0196c3f0f38ec2e1a04968 |
memory/1072-57-0x000001E8F7820000-0x000001E8F7828000-memory.dmp
memory/1072-58-0x000001E8FA2E0000-0x000001E8FA808000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe
| MD5 | aedf882b5e38951bfaf2234b21d17802 |
| SHA1 | eaba914f0631db9145b2f5a7096c26ead08c8b71 |
| SHA256 | 92346e6276b2ef91fb98d371cb1184ecc345b7018539e23fb688b6a8532f20d6 |
| SHA512 | 25a6974958b451a6054def0be4d8204718ba6e22f5c5bfdd85d0a5291d4ca103e71fdf82a74f101b7776a9772dc6bd0557a9f78f9d889c23b8e1be9c8940bbf6 |
C:\Users\Admin\AppData\Local\Temp\nsa5233.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe
| MD5 | 41a3c2a1777527a41ddd747072ee3efd |
| SHA1 | 44b70207d0883ec1848c3c65c57d8c14fd70e2c3 |
| SHA256 | 8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365 |
| SHA512 | 14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869 |
memory/3992-132-0x000001A9B6E10000-0x000001A9B6E98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\rsStubLib.dll
| MD5 | a16602aad0a611d228af718448ed7cbd |
| SHA1 | ddd9b80306860ae0b126d3e834828091c3720ac5 |
| SHA256 | a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a |
| SHA512 | 305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511 |
memory/3992-134-0x000001A9B7310000-0x000001A9B7350000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\rsLogger.dll
| MD5 | 83ad54079827e94479963ba4465a85d7 |
| SHA1 | d33efd0f5e59d1ef30c59d74772b4c43162dc6b7 |
| SHA256 | ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312 |
| SHA512 | c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1 |
memory/3992-136-0x000001A9B7350000-0x000001A9B7380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\rsJSON.dll
| MD5 | f8978087767d0006680c2ec43bda6f34 |
| SHA1 | 755f1357795cb833f0f271c7c87109e719aa4f32 |
| SHA256 | 221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e |
| SHA512 | 54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955 |
memory/3992-138-0x000001A9D1430000-0x000001A9D146A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\rsAtom.dll
| MD5 | 9deba7281d8eceefd760874434bd4e91 |
| SHA1 | 553e6c86efdda04beacee98bcee48a0b0dba6e75 |
| SHA256 | 02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9 |
| SHA512 | 7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306 |
memory/3992-140-0x000001A9D13E0000-0x000001A9D140A000-memory.dmp
memory/3992-145-0x000001A9D1620000-0x000001A9D1678000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\Microsoft.Win32.TaskScheduler.dll
| MD5 | a09decc59b2c2f715563bb035ee4241e |
| SHA1 | c84f5e2e0f71feef437cf173afeb13fe525a0fea |
| SHA256 | 6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149 |
| SHA512 | 1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b |
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\uninstall.ico
| MD5 | af1c23b1e641e56b3de26f5f643eb7d9 |
| SHA1 | 6c23deb9b7b0c930533fdbeea0863173d99cf323 |
| SHA256 | 0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058 |
| SHA512 | 0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4 |
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\rsSyncSvc.exe
| MD5 | ded746a9d2d7b7afcb3abe1a24dd3163 |
| SHA1 | a074c9e981491ff566cd45b912e743bd1266c4ae |
| SHA256 | c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3 |
| SHA512 | 2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b |
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
| MD5 | d2272f3869d5b634f656047968c25ae6 |
| SHA1 | 453c6ffa6ec3a0a25ae59a1b58a0d18b023edb16 |
| SHA256 | d89a2423da3704108861f190e1633d2100ecc30b4c40bd835ce54a6934887bc9 |
| SHA512 | 41072ef6f382cf6d4d97ebc2a49a50a9bd41b53508a8586fd8d018e86aed135e8ac2cdd16bbf725e4f74f14ecfcf49789d3af8924b6d5dfa6b94dc6bf79a0785 |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 012e52c8cb968a21ce90cc6e2e833295 |
| SHA1 | 1870e9946c6627d60e78023890c2a80051711dc0 |
| SHA256 | 5fd54efe3a481f702394abc439191ae470fe01c6f780f3505539170816e90f1d |
| SHA512 | b23c50da29a9d803c61e7cbe145d9d4776f1301d3996c09da8f538d95f4fb1d7d11ea441afcdc28a4e8259f1c873384adbe8dbc90d6a382dfc1131a836ecb67e |
C:\LDPlayer\LDPlayer9\msvcr120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
C:\LDPlayer\LDPlayer9\msvcp120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
C:\LDPlayer\LDPlayer9\crashreport.dll
| MD5 | b0d864ec1a1291d14039c8cd80643b56 |
| SHA1 | 6c8361132a9a9e654937e43ddd4a3a483b559066 |
| SHA256 | 1a399ef385397da87425d6a8f50a75bb08dad54584d7da916c84c6b1e5f5d285 |
| SHA512 | 1d7cc2966961ea3db6f82456626e242454d830d176ee6e8c5cb3eb462e0b590ffa7d511fb0473eef350bc134cd531c1564262942132afab2fa41a8e49b0e9746 |
C:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | f845753af4cc7b94f180fb76787e3bc2 |
| SHA1 | 76ca7babbb655d749c9ed69e0b8875370320cc5a |
| SHA256 | a19a6c0c644ce0e655eaf38a8dbddf05e55048ba52309366a5333e1b50bde990 |
| SHA512 | 0a3062057622ffcff80c9c5f872abdf59a36131bfc60532c853ea858774d89fed27343f838dfe341dafe8444538fc6e2103d3aa19ef9d264e0f8e761c4bfce81 |
C:\Program Files\McAfee\Temp2109176641\installer.exe
| MD5 | 4034e2003874264c50436da1b0437783 |
| SHA1 | e91861f167d61b3a72784e685a78a664522288c2 |
| SHA256 | 471d799e2b2292dbdbc9aed0be57c51d8bb89725a944b965aeb03892493e8769 |
| SHA512 | f0923f9c6f111583358c4c4670c3e017da2182853f489d36e49efbb4ad0eed23bc420cecf9584a1df4cff30d1428cb745c6143eacd1ee4acb8cac7385bd3b080 |
C:\Program Files\McAfee\Temp2109176641\analyticsmanager.cab
| MD5 | b86746aabbaf37831a38b6eae5e3e256 |
| SHA1 | 5c81a896b9a7e59cdff3d7e10de5ace243132e56 |
| SHA256 | 70e35195fece6ebf6e97b76c460d67449c4785a1bd21f205908f995aa8c11a5e |
| SHA512 | 68e2f2359e6306a5ff3af0c348c2d452afa7a8766e10b2d36358eb30e70ed17f4b45b479b8be5585a91febbdda67cd2b96c225728ad32e9a54bad358269711e8 |
C:\Program Files\McAfee\Temp2109176641\analyticstelemetry.cab
| MD5 | fc2f204b92db0e8daec09ae45cedbc96 |
| SHA1 | 5d16a19f70224e97cfc383143ddbf5f6b5565f19 |
| SHA256 | 22f38866a64fcc685be87a949f17d0bc85d20c9d5f6aec1ad469d59f099383c6 |
| SHA512 | 32fd7845c34ff4df8b7ec5d041c4de1a577cb686d7b6b9bfe10897edd1b5dab503ff1fd5b6e729f0a081fff41d5b273cbd188dd7952c27366cf3f5c3b3fd3637 |
C:\Program Files\McAfee\Temp2109176641\browserplugin.cab
| MD5 | f2e0ad0cf39154cf59faef9c055fceda |
| SHA1 | 31558e4be53bbd90c955b60bab3b4bb7c29c3442 |
| SHA256 | 5c98127edc5094fba4ab2c640dabadac9365ccf127446ac28db1de31553fbf67 |
| SHA512 | c4054146296f69cea8b628c63941b70713e479e75ae21e982113d7a5ed561099070cf3f8e01ffe307e0d6b5e975a111515282e1532204e98fe1d85c2815056b7 |
C:\Program Files\McAfee\Temp2109176641\eventmanager.cab
| MD5 | 98f1341ed360f6d676a110fab895669a |
| SHA1 | 7695c908aec695a7f17fbe0a7474aa6f8250c960 |
| SHA256 | b6ba85209c76fc850130c6bde2fb58ea4bf92a54c68670e5e4445a7fe0337cfa |
| SHA512 | 8d46ce3f7972ecee7003d5dde16b614656197949a2c6a170398c9a0f246d2ba6ffd0c75caf115a697ded4618ac09defe36c6c157245abe8288483e6a808faf24 |
C:\Program Files\McAfee\Temp2109176641\downloadscan.cab
| MD5 | 3f53a18999723022ce0163cf0b79bddf |
| SHA1 | 9722ac18848575fe7922661c6b967163647b004f |
| SHA256 | c03a9c8f4c8840d3d6620bce28007e0f9b738418d690247f2116f3f28ff9249f |
| SHA512 | faeba2e5cead1388a348d20f671f136faaa17f1b5677dd8aedfbbba01b99f4c15020888520e15f88e946bc0b3aec8d14f24729ee37ed440a0e87151b72a2e6a0 |
C:\Program Files\McAfee\Temp2109176641\browserhost.cab
| MD5 | 047cd507df3d47ad5b4580f92cca8462 |
| SHA1 | a3cba758d2c3a435d8b4841ed7874d3dae98affa |
| SHA256 | d1ca37407ee6c256a2d174da8139dae1b5f3b681540763e4208073646dc3f85a |
| SHA512 | beee3e3b0606c8620370033da292f8d177fc4c8556dc7c952bc9a56a1ad446e36cb425c2f849741a24f3ebce6b814e213ab051e31283f16854069b7b83289c74 |
memory/2932-607-0x00007FF7D4A80000-0x00007FF7D4A90000-memory.dmp
C:\Program Files\McAfee\Temp2109176641\l10n.cab
| MD5 | d2d49a3e1e9a75f4908d8bafeec64a8a |
| SHA1 | 7b73095c122d816f07d7372920025ee07a34452f |
| SHA256 | ae57687e54b8f26ac9a233cb382a96a2f11b6ea3722feceab3fe6ef73e1a9cc7 |
| SHA512 | 6bb7d5db7ae08d1bad860a2467da10d92794f73594ee20e044747f4129f4b2f89dcca1cd52662d5ad88c7279798b457585605c03dc7b9f1817fedf072dec5e8b |
C:\Program Files\McAfee\Temp2109176641\lookupmanager.cab
| MD5 | 4701a16772d584dddf8d3fdf2a86ce68 |
| SHA1 | 38537b682c25af63435b1a1166c3f484a2ee003b |
| SHA256 | 1c11af7968f51eece1682d1106630d5d87bb363b24088e976710518108e9ff3a |
| SHA512 | c8c25202b86486eac7b24ac91860ee14153fd35c9bfd73ff4aab114d8bd95213a935276463081f70a5b8f5fadf100ea072f09486d4b07e7d4dc2b904c46fa064 |
C:\Program Files\McAfee\Temp2109176641\mfw-nps.cab
| MD5 | d9ca680b1fcd3930a7e88164d29835ad |
| SHA1 | 46e5f1906e3535936326529c81bad3ca77eba700 |
| SHA256 | b32933bd6e5b2f0d2928e92546195120375bbc8da68533e577adf6c54ea4ec0a |
| SHA512 | 45614f889ec7b1c30f5186bf61d4d82705f9175604cd82972a29b612f6fa4eb230179506adfc14bcfd5097890c9ebb37db54a96f80e781e742fe35e8c68b17eb |
C:\Program Files\McAfee\Temp2109176641\mfw-mwb.cab
| MD5 | de22a82e15c63e0dd5d76f3784baf2e5 |
| SHA1 | 6388f8ced47ff3f0fde51523e489c7c7d685367c |
| SHA256 | 127b786e92568718d16aac814f0472356e5a49ff44d6803cd79f8ac0bd91154e |
| SHA512 | 69227b9b6a77c4182756496faea49b7ca01865277896e77a58841f60ddbf716c3880ad797b2947a8e92fc8f0bf57e95da0cddba8065b322ab95b0081676ea184 |
C:\Program Files\McAfee\Temp2109176641\servicehost.cab
| MD5 | c876006d16cfdbb9abe9d2dbe51f923f |
| SHA1 | 277df779d8d282bc213eb787cf2c66c45446a528 |
| SHA256 | 2b7af7a1af3b4d205ac5a83fe191dc143e4279bfaa08ce4d540ee25835e1f820 |
| SHA512 | d04042412a0455169eb505d9fecdcf18950c16dbea629a9c8637ef53d4806b11f6d219daede59bc687e1ae58b4376b5bdcbcf2fb529410eae75eae12516ec328 |
C:\Program Files\McAfee\Temp2109176641\taskmanager.cab
| MD5 | 683cdaf78b714119a46f6956b01b8790 |
| SHA1 | f4c2b54addff08403d57d5371a71ae51adced69c |
| SHA256 | ce40ba45ddad3eaed3152f4a2ca857b057cb46070883d415736a11c121bbe514 |
| SHA512 | ea3807ad3c7d65d021d805e80128c6f2a5c23593f05970a3bc1bb03d0e9270bd5bbe0e693533b215c241b7e2a2d61f6b8997d684365ae14ef61f9e8210da39fa |
C:\Program Files\McAfee\Temp2109176641\uihost.cab
| MD5 | c1210174cef04ee040f75d715e39e389 |
| SHA1 | 73756f3d81ac71d1135986d1ce71d1792b65e8bd |
| SHA256 | e71b6af542475224a316bd6ecc9b6b7c2f250bb63b95c1f655fdd1b0d2e81bc8 |
| SHA512 | cc06678211b18e1e95a1b11c3f5cfc64da55dd11507814181b406fd4e7e65a3505b0ec4d07331aa1c7b8a6682165267f67633bdb9ff9d235660de23ac29a9d4c |
C:\Program Files\McAfee\Temp2109176641\telemetry.cab
| MD5 | a3e148e515f1e4bc5f7d5c333777a906 |
| SHA1 | 07b32139c195efe473b0f4e31ea9b67bc17a22c5 |
| SHA256 | c0a66dd61574c1729fe80b1dd03555be4eeaf371b4a3b7cc8b6b12068d0db60c |
| SHA512 | 00700c422b432444a508ea473db102be2aaf6324a8a57457b6205cd218f6e9b9f9f87f30d32c578ce52d15bdabbd6386dfd74cf605b771bf87aa2c6ce541a330 |
C:\Program Files\McAfee\Temp2109176641\settingmanager.cab
| MD5 | e370a3a3c4c1d7981aed6c2ae814a5da |
| SHA1 | 844d66ffd67753aa2899b3f37c3ac82d35541715 |
| SHA256 | be149a650eae3a9fd6e023f04b220ea112262bdcca94198aaa77cfe9c2a145f3 |
| SHA512 | 6fe49258810cfbc42a2bb77e77aab439f9ec1f4133c174379453bf80e14c40c63c45b9ea2d1e64596361e89dcabb9931dd6a2aa4ca883a4bb02c1263451e4f84 |
C:\Program Files\McAfee\Temp2109176641\resourcedll.cab
| MD5 | 332e2fb2256710f1847bbc4c42cc16c9 |
| SHA1 | 22f9b2715821a12824e7b1d29344323c212a1527 |
| SHA256 | a05f3231e81d726f99fe7ca68810e73ea47ce84fcd7fa42c1a7f2742c1ff3f86 |
| SHA512 | c4901db8021c3911e5caca3dc75c8533c61dc1091303473992671c763f12406749551daccfc67931991dbb72d6c279f84cce0ea564157dc01c2159d6527a15c1 |
C:\Program Files\McAfee\Temp2109176641\mfw.cab
| MD5 | 4b0034ee6db1f4a2a76524f1cc7cc9f4 |
| SHA1 | 44bc148e2dd5221e1b781bdb56a625588fce9f64 |
| SHA256 | 36671f49627d8cf811064c59cbf37e43e409b6d8631898614470037edb53c431 |
| SHA512 | a90abd80a517bfde5cb365904ee85baf0f3f32558701e4548f2aeb44783f088bd3b969de2068a6b618bdaf501f5f38ec9440f31144d96dcb1b766d19a0579738 |
C:\Program Files\McAfee\Temp2109176641\mfw-webadvisor.cab
| MD5 | e0f5c3d03681587bc927a049a22dfeb6 |
| SHA1 | 2bdc1c92cbe1576d356daacf409413fff410e827 |
| SHA256 | 325e7d15f8b9e3988904fe796d7d6bfb714be50f64d1a760b9e11cf71fe9ee15 |
| SHA512 | 43a914bc424c9e4b5e08b3f016525e9685b9231e7de135b40d1b6806363dc8891f497fce3116d491947487c03dc8bf07c30be0fc2afec20e774aa22d83a1ffbe |
C:\Program Files\McAfee\Temp2109176641\logicscripts.cab
| MD5 | f2158db4bebd54b26773c843729007a7 |
| SHA1 | 94e4f3e571f9d65a9a273147752a6767477284bd |
| SHA256 | 2e8f526789472335dd0c9d847965c104153260aab2f42d4848648babd02a2b30 |
| SHA512 | 7de44a11aa0cf50b497b189aa5ee30b0a204d6f47f1d584a8d265b227d64bb3c3f66bdd47f5ef60395ece010dbbb9b0d7af56bd27ff7c8b6b3a64f0758e4cd09 |
C:\Program Files\McAfee\Temp2109176641\logicmodule.cab
| MD5 | d06127ffbd53a53c8c5a6dba9ef57a30 |
| SHA1 | 4b0c999368e3c41cc4e5e15e2dec24528184955a |
| SHA256 | 96aaecb6da2013028e00b93895c3a7d9ee26f8e03e32bf4506d32218b02d8f0b |
| SHA512 | dc5ccf8bee79c79eca3b8a106ac805e1254b613fc3449f417dd8bc18f76e96a9aa6d9d43680546dd85486fa802c54d10bea45ba4ac401ef41c19529e13a4b815 |
C:\Program Files\McAfee\Temp2109176641\uninstaller.cab
| MD5 | 94efa76e5d44432624c9c2dd55dcdc43 |
| SHA1 | c30419e489724c1900fe6ca0564a7756b6266637 |
| SHA256 | f859700fd030c2a69a5cdb9f7c0d884248ce5c3cb37d84c9230d9b025ac5a29f |
| SHA512 | 6284d8449cbc5d29190290521e314b45f7965f816556d00c31076f1b61bfb01f74ee9bae06a6b04263ba5d2300901affd1a4965c09dfdc0355646e8e92949e2e |
C:\Program Files\McAfee\Temp2109176641\wataskmanager.cab
| MD5 | 218696f93137dbe2dffbd3b478ce6f9c |
| SHA1 | 78a044f3a0800199caefb05c1ec2184c76475075 |
| SHA256 | f376195738911c09feda9b68e417d4523bc348990a31e3773458fc4f55ecbaf6 |
| SHA512 | c6328d23182b93a409b53af350a9c0356976b0119f9ad3fe2bacf4e2d167d8ab63f53cc240dd91f97da99259751447224d8c1e1884df68579d2fb79306b7417b |
C:\Program Files\McAfee\Temp2109176641\wssdep.cab
| MD5 | 9fe49495f568043598e473a2efbac339 |
| SHA1 | d872dbbefc5974a218c4246d49f29eb2e7da419c |
| SHA256 | e1b6cbed8e517704b6451fc70bd3233443ee3a84c4e0e73f39bdf846cbc660ae |
| SHA512 | 28e09444ae4ab7b641419f4e483d16842759814be95b3e18806edacba92ee8363e349909cf4afe01ded535e96b38868cdc03761c38db2b2c4b6485c67adc47ef |
memory/2932-791-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-871-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
C:\Program Files\McAfee\WebAdvisor\win32\wssdep.dll
| MD5 | 71a78b5187b533b6441388e199f9758a |
| SHA1 | 0d07d9f17397f61ca8851af837a32c6f83a78bd0 |
| SHA256 | 06483f4a360168de5c85a4729578e998dea4270a76d28439a20a41135e94eaa1 |
| SHA512 | c0bcac6a7fb15cd3fe861ec450baaad00068d7e1b511f7d1aa6c1c8bacd6f04eb80105132e37b6e99669d62f53f0d63e13c040df2f863f5a12206f1388c79ff0 |
memory/2932-1216-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1115-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1078-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1076-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1073-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1067-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1048-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-1026-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1004-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-968-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-960-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-956-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-949-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-944-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-941-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-919-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-904-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-903-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-900-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-865-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
memory/2932-861-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
memory/2932-853-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
memory/2932-847-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
memory/2932-836-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
memory/2932-765-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-762-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-741-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-716-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-1493-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-1505-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-1515-0x00007FF78A100000-0x00007FF78A110000-memory.dmp
memory/2932-1528-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1514-0x00007FF78A100000-0x00007FF78A110000-memory.dmp
memory/2932-1513-0x00007FF7CBC90000-0x00007FF7CBCA0000-memory.dmp
memory/2932-1512-0x00007FF7CBC90000-0x00007FF7CBCA0000-memory.dmp
memory/2932-1511-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
memory/2932-1510-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
memory/2932-1507-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1506-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1504-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-1503-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1501-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1499-0x00007FF7718F0000-0x00007FF771900000-memory.dmp
memory/2932-1491-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-1490-0x00007FF7D4A80000-0x00007FF7D4A90000-memory.dmp
memory/2932-1489-0x00007FF7D4A80000-0x00007FF7D4A90000-memory.dmp
memory/2932-1488-0x00007FF7D4A80000-0x00007FF7D4A90000-memory.dmp
memory/2932-1487-0x00007FF7D4A80000-0x00007FF7D4A90000-memory.dmp
memory/2932-1486-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll
| MD5 | 0f02e3217603077af6e4590c61427d8b |
| SHA1 | e7c7102b621f6e84d3fa5d48a64b9bc3af518698 |
| SHA256 | e4b71441526318bc3b271cb1a0c858077911a95d13fdf68ed7b97dd3a4f2f86b |
| SHA512 | 1e3c0304995eec01bcdddcc89d3be9ec14d496ffd879dc106ec75f21ef4ac184ff0436d780530561955d9aa7aa4f0a7a63916f8a02a8756e7303af27a904e194 |
memory/2932-713-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-660-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-659-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-658-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-643-0x00007FF7BE3C0000-0x00007FF7BE3D0000-memory.dmp
memory/2932-782-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-781-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-702-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-692-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-689-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-671-0x00007FF7D5EC0000-0x00007FF7D5ED0000-memory.dmp
memory/2932-634-0x00007FF7D4A80000-0x00007FF7D4A90000-memory.dmp
C:\Program Files\McAfee\Temp2109176641\webadvisor.cab
| MD5 | a265b83be07a6a1aa8e400c6f4e00958 |
| SHA1 | 1d81e5d7f8f01b426989abfcc62e01b56566dcc6 |
| SHA256 | 25c2cd074f1891dc48da90fcaf6fa3940e55afcc641c0f586054de91fb158b19 |
| SHA512 | 2624d46ce089e356589d139f4d9435ffba3895d8668a4b22bb4a4d8e41c4957e75c39d75972d31895930293a74696aaaafd3710f3935e7f90d1a39389c5c186d |
C:\Program Files\McAfee\Temp2109176641\updater.cab
| MD5 | 36a9937b4970ed88446aa09a204fb3de |
| SHA1 | 7a22d931f7c7313e046fc35f6ed9e8c861af241b |
| SHA256 | e58cdfba1ec4940ce12a0791336e3f312c1e4e8b5916e528e3ead3a6c48db020 |
| SHA512 | 107d64e3d5b24cf2b0ba52a389738a2566bdffb4633c1fe6aed2f90e0a50bdfec4493cd0b610bb0466e54acdb1eb40d02a73ff70db9df360c8297216c341f1d1 |
C:\Program Files\McAfee\Temp2109176641\uimanager.cab
| MD5 | ad4bbf75866c3a8157b1ce867cb1b336 |
| SHA1 | ea2f390bd2beebc47ccea52d691d96f17ae148dc |
| SHA256 | 85170669325888a07167c0017df4b2e1b72b4a90bb60714fc9f9a3dc517e4008 |
| SHA512 | f146f5f649c0950465798c3822a1dd35c79780b10acfdf15678a57322d3ff4993993bd88a16e8f96c109aa67361717919e5a8a6d399aed800a0c6e77fd274b00 |
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
| MD5 | 813b80b099ea29e13e9c32d67712afd7 |
| SHA1 | 20e06a9e28be51e3514b50b4515c6fdcc9c3d6ad |
| SHA256 | 7fc8bf34b7c8279940a21da55229985931ba25cee7f157fba48d1a42034ffea7 |
| SHA512 | c5239cb766610b924b0b542236c7e5d463daee0393af50cce81bcd8191d18465a7c2e5df0a91522e755a958847fe020b3a39a2b0bda68958f11d0f1be3beeaa6 |
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
| MD5 | 6424304809a99a35a6b4423977481304 |
| SHA1 | b43a2ed7cdbc6a1fb355689fd2c4b1e29f3808e3 |
| SHA256 | 6389caf9b53c458aa716cfbf707df4371ed713c86c9655cb09820594539ccc58 |
| SHA512 | 7dc4ebf0958a37fa7256579ead3916612f1584f091a18c956e4e6ac548a05c7f85a775b5434fe803358b2d34797177e44fb63103a4b261ed96061d7c6eb70c32 |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 8fbaeb948fdc89fc03b387305c521948 |
| SHA1 | 01b377e216b5f9cb0554aac09445a83913230209 |
| SHA256 | 0b8f6716920bda8227e69d451a764c83611ac1be2dd3d779cd299de384a4a45d |
| SHA512 | 27ea6bc3cb50f77c8ae932a93b80164824871e0762745f15bb875b2e48b8065976e4f8611da407057d42c80f1245c8c644ff2898e23b67285caa1c582a9c185c |
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
| MD5 | 5cf4d0cc196b02f3bf2baa6e3cae6d9b |
| SHA1 | 5dd7864ce907d390f42c688c034e25b10d054441 |
| SHA256 | da6a2b8d5de834a96ebaf387cea2b9a2f6df84e090784a9201448316d65ec274 |
| SHA512 | 3182c9c86ecc61ed1af2c0beab5b52510c300ff3c4ac41927f087a33674454f847e7c8d90b912593f4bbe9e848cda9b9fee5d544b1adf03dd65a3ffc33c1e902 |
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
| MD5 | fd8c14322c0168b0f4dc8a589f247d62 |
| SHA1 | 9be8cbaee40825d4abb3a4b5374e8c8ba7daf27c |
| SHA256 | 2d806f0e87bba1835f9aaa0c6ba82c0e42ba55f42a1c939cfa0c140e20b81821 |
| SHA512 | e9eac8d81bea6bf19b75b819ba8a93f437d54b84abb14c79e87dabd9982410af32a9e66905c3a94ec5000c1bedc94a2941a944a00ec214b4af8de6644a34b8a7 |
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
| MD5 | 6f97cb1b2d3fcf88513e2c349232216a |
| SHA1 | 846110d3bf8b8d7a720f646435909ef80bbcaa0c |
| SHA256 | 6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272 |
| SHA512 | 2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07 |
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
| MD5 | 8556afbb1722951ddc64e7642ee7ac9c |
| SHA1 | f25a52b068eb3898dc1d018fd481af000ac9cc7d |
| SHA256 | 325870bc55b57f0f018c6a572cddec8b339540a0b337ea5efd97014e8c00ad10 |
| SHA512 | 57d3c271752f6cd44edb43c2d79e7188b57561678057f05bcb145f23e2729715645f3c520eef8106221d7a981bb0f65b80e51a92f86c1f0de11932a92147a962 |
memory/3992-2801-0x000001A9D1AF0000-0x000001A9D1B46000-memory.dmp
C:\Program Files\ReasonLabs\EPP\mc.dll
| MD5 | 79a3316d934da771d43a0eb38b43b411 |
| SHA1 | f4df6d0423d63f7e0792d1d55af6b36a94c7449a |
| SHA256 | 2a96c5474735e92836286f33218d8338591c15b3441faf8672d3b687411f01af |
| SHA512 | b597cc7018ad0a9695c6ffeb3370e3c04e9d35d7090de176aa40531a6720e2bd0cb9f1ab1a8304ed17e0987982028a91b2d8d5cf3229a62c5d0fcd4ab1c6b700 |
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
| MD5 | b8f08b5a671b1d91bc615a1be333d037 |
| SHA1 | 2d17004a8635d9c349b43aec7996384cc7b17a95 |
| SHA256 | c5f855c4e6f7aac4547f4dfae4ec03b1d3ec51b18c69ae94d3402b27a32b562c |
| SHA512 | c0f75d936196b65fb2eea75de1d97b9cd6d9a6777553bbcd706e1c3a29248543cc6aa2f47b46142155482613f9106e84e5b8036c0fa46893600272043fc20335 |
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
| MD5 | c128d7b407d111298c6fd54b5d1d30dc |
| SHA1 | f1b0a405660ddcef6a37155759f08b1bc50f27d3 |
| SHA256 | 60bb746a55444c32b1dd73555e4ed4e3d21a792c818279d4952f302553393a9d |
| SHA512 | 17f4a4923166da9229bff98dacecb5d9824d435847c4d371d7eb441b6e836d36b92c187fba08666d3c26ce61eeeb7bd5ab675983d793ba9315c47d8d6ca8bce7 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 4b1606434c987fa38605a287fa77b7b0 |
| SHA1 | cdfc2ceb7bc4b9c7a6bafcf1e21a53efaa819126 |
| SHA256 | 68608a7766554ba33d52676e47bd6e4adf39fb152c635b356d40db9288f41e7d |
| SHA512 | 8a6ffce9924ca89826c91da32392c3a3e09472393feda0dffc6097adab4a3261f8a5bdeb9f2243d0b1884d44c08e68c38beb5a30a5943a18e79b96df972ddd87 |
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\3d076822\3e0acb4f_efa3da01\rsJSON.DLL
| MD5 | bd772c48f94ad1012dc608a4b7b55ce1 |
| SHA1 | 4593870deb85c3ea9d54f1f260e2ab96effb6ee1 |
| SHA256 | 59733e01120fa4d5cb1e765babf8fefc15d98f7d484cb1902e0d07c4f3c0dcca |
| SHA512 | 534b4005c4d7647a42da6489a6c6852d95ef0156d0f76bc76b5c6765e035fa86a46e2ce823962b06b4f74c74623155302974d0dc0cdac7fbfb00fbc3579bc286 |
memory/3992-4431-0x000001A9D1B90000-0x000001A9D1BCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\1183793d\3e0acb4f_efa3da01\rsLogger.DLL
| MD5 | 3c4180b83cca1278afa4e8f6a3bb0847 |
| SHA1 | 61988cb6bf9700e517a4344a793025ed175ab9ac |
| SHA256 | 4149bd4b31e147776a9b7881b3e40644fc583c4c25e40edc480c996dcb7090c8 |
| SHA512 | 7a2e8f2664573115c9268726abd90b91bc19664e317a7b5afa001ce3d31b0537c9524066a2dc2fb831e3dd34b8c98f1405699701b3e990dcca175f1bfd40d54d |
memory/3992-4545-0x000001A9D1C70000-0x000001A9D1CA0000-memory.dmp
memory/3992-4557-0x000001A9D1C70000-0x000001A9D1C9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\e0231271\cf1ebf4f_efa3da01\rsAtom.DLL
| MD5 | e5e1626c36117bc60e810c132b99c249 |
| SHA1 | 753c35e07b1453a80ce2260d3c37387ab457c91f |
| SHA256 | abddc3de4f7320698394f16406cf59b2cc147f903c5afb8535025ef7ea696000 |
| SHA512 | 145d37fd59b90da9656ff96a2f50db185efe791eafb67d492e9bae3869271c71e493019c08a2390f4aa251f8611c78fa66bca93a8925e3f8f0fa98f4b5278800 |
C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\9fad1f30\3e0acb4f_efa3da01\rsServiceController.DLL
| MD5 | 3aef2746ab8bf491c50d946f271d8461 |
| SHA1 | e89d4c3822f0d2c58bc6114f9e35d99271b2f82a |
| SHA256 | 7927338f12e8d1835e97fb342874b26d4f068da95bb582fe0ccfde364e769969 |
| SHA512 | 6649901243600f82e481408ed95c2471de50c5266cfd42892a526225de0cb0f9469433d8d87d72f33d0d0c8d31f4f245eaa041fdb45f839433f995763c314f02 |
memory/3992-4623-0x000001A9D1DB0000-0x000001A9D1DDE000-memory.dmp
C:\ProgramData\EPPBackup\rsEngine.config.backup
| MD5 | 517330c5959e0ea014cfb2ddadfae354 |
| SHA1 | 82b72327a6d7304443e543d8bfb98f0849899a49 |
| SHA256 | f30d03e6f8b8b8e1f4a1cb93507629e465b0dcc6c9e68982816d92b5819de6fd |
| SHA512 | 2e1f95f16ff2a45e492f03a7df8a96cc984ec8965746320bac255861609a4759ab82d6b99935235dddd3c11c7e7001e495c16650be406b75fca726488f603dff |
C:\Windows\System32\drivers\rsElam.sys
| MD5 | 8129c96d6ebdaebbe771ee034555bf8f |
| SHA1 | 9b41fb541a273086d3eef0ba4149f88022efbaff |
| SHA256 | 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51 |
| SHA512 | ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18 |
memory/8116-4862-0x000001F9C2E30000-0x000001F9C2E5E000-memory.dmp
memory/8116-4863-0x000001F9C2E30000-0x000001F9C2E5E000-memory.dmp
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
| MD5 | 1264314190d1e81276dde796c5a3537c |
| SHA1 | ab1c69efd9358b161ec31d7701d26c39ee708d57 |
| SHA256 | 8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5 |
| SHA512 | a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9 |
memory/8116-4876-0x000001F9C32D0000-0x000001F9C32E2000-memory.dmp
memory/8116-4877-0x000001F9C4C10000-0x000001F9C4C4C000-memory.dmp
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
| MD5 | 43fbbd79c6a85b1dfb782c199ff1f0e7 |
| SHA1 | cad46a3de56cd064e32b79c07ced5abec6bc1543 |
| SHA256 | 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0 |
| SHA512 | 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea |
memory/1932-4897-0x000002E033C90000-0x000002E033FF6000-memory.dmp
memory/1932-4900-0x000002E01B000000-0x000002E01B022000-memory.dmp
memory/1932-4899-0x000002E01AFB0000-0x000002E01AFCA000-memory.dmp
memory/1932-4898-0x000002E033AA0000-0x000002E033C1C000-memory.dmp
memory/5624-4902-0x0000000002360000-0x0000000002396000-memory.dmp
memory/5624-4903-0x0000000004D40000-0x000000000536A000-memory.dmp
memory/5624-4904-0x0000000004CB0000-0x0000000004CD2000-memory.dmp
memory/5624-4905-0x00000000053E0000-0x0000000005446000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fku15p1p.dcj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5624-4914-0x0000000005640000-0x0000000005997000-memory.dmp
memory/5624-4915-0x0000000005B40000-0x0000000005B5E000-memory.dmp
memory/5624-4916-0x0000000005B70000-0x0000000005BBC000-memory.dmp
memory/5624-4918-0x000000006E620000-0x000000006E66C000-memory.dmp
memory/5624-4917-0x0000000006D00000-0x0000000006D34000-memory.dmp
memory/5624-4927-0x0000000006D40000-0x0000000006D5E000-memory.dmp
memory/5624-4928-0x0000000006DE0000-0x0000000006E84000-memory.dmp
memory/5624-4930-0x0000000006F20000-0x0000000006F3A000-memory.dmp
memory/5624-4929-0x0000000007560000-0x0000000007BDA000-memory.dmp
memory/5624-4931-0x0000000006FA0000-0x0000000006FAA000-memory.dmp
memory/5624-4932-0x00000000071B0000-0x0000000007246000-memory.dmp
memory/5624-4933-0x0000000007130000-0x0000000007141000-memory.dmp
memory/5624-4934-0x0000000007170000-0x000000000717E000-memory.dmp
memory/5624-4935-0x0000000007250000-0x000000000726A000-memory.dmp
memory/8416-4938-0x0000000005540000-0x0000000005897000-memory.dmp
memory/8416-4947-0x000000006E620000-0x000000006E66C000-memory.dmp
memory/8636-4966-0x000000006E620000-0x000000006E66C000-memory.dmp
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
| MD5 | 0c81805493ab6e2ea8855e27dad4b63e |
| SHA1 | 2d1985e253b79f0071cf74ce067faf4d412d14db |
| SHA256 | 1beac1e13687b2200fdad579cc93d8216788a9adcaf0885b62af24fa1974c82d |
| SHA512 | a69d94b97a5e74b418060c7d7902dee05ec6a02302fc2f063fb96b38fd6966a9c8419d73208f570b045d29b1f69c7c26dbe9f85abc1aeb7e4a6b4b17f0b7efd4 |
C:\LDPlayer\LDPlayer9\dnplayer.exe
| MD5 | f9ddc9083ffa20efd46386eca87582bb |
| SHA1 | 8558d23be32806ae0dc6e85dbb548f1507240b1e |
| SHA256 | c2dd00c3f8b25ff6b5d58317249bcd69a150bc29179bfb63cc2242fef4651cea |
| SHA512 | 3efed140be34ac956298959ee7dca4161c7b9afd0e06faccc1cfe65def71dd1c856cc16b80d6ad1536f3c7605f3501a75df3220b17654e4708306150deab3276 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll
| MD5 | ba46e6e1c5861617b4d97de00149b905 |
| SHA1 | 4affc8aab49c7dc3ceeca81391c4f737d7672b32 |
| SHA256 | 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e |
| SHA512 | bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
| MD5 | 0054560df6c69d2067689433172088ef |
| SHA1 | a30042b77ebd7c704be0e986349030bcdb82857d |
| SHA256 | 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750 |
| SHA512 | 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0 |
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
| MD5 | 4acd5f0e312730f1d8b8805f3699c184 |
| SHA1 | 67c957e102bf2b2a86c5708257bc32f91c006739 |
| SHA256 | 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5 |
| SHA512 | 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837 |
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf
| MD5 | 93b877811441a5ae311762a7cb6fb1e1 |
| SHA1 | 339e033fd4fbb131c2d9b964354c68cd2cf18bd1 |
| SHA256 | b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b |
| SHA512 | 7f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
| MD5 | 4ba25d2cbe1587a841dcfb8c8c4a6ea6 |
| SHA1 | 52693d4b5e0b55a929099b680348c3932f2c3c62 |
| SHA256 | b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49 |
| SHA512 | 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
| MD5 | 3e29914113ec4b968ba5eb1f6d194a0a |
| SHA1 | 557b67e372e85eb39989cb53cffd3ef1adabb9fe |
| SHA256 | c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a |
| SHA512 | 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
| MD5 | e8fd6da54f056363b284608c3f6a832e |
| SHA1 | 32e88b82fd398568517ab03b33e9765b59c4946d |
| SHA256 | b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd |
| SHA512 | 4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
| MD5 | 52c43baddd43be63fbfb398722f3b01d |
| SHA1 | be1b1064fdda4dde4b72ef523b8e02c050ccd820 |
| SHA256 | 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f |
| SHA512 | 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
| MD5 | 2d40f6c6a4f88c8c2685ee25b53ec00d |
| SHA1 | faf96bac1e7665aa07029d8f94e1ac84014a863b |
| SHA256 | 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334 |
| SHA512 | 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
| MD5 | 01c4246df55a5fff93d086bb56110d2b |
| SHA1 | e2939375c4dd7b478913328b88eaa3c91913cfdc |
| SHA256 | c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889 |
| SHA512 | 39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
| MD5 | 66df6f7b7a98ff750aade522c22d239a |
| SHA1 | f69464fe18ed03de597bb46482ae899f43c94617 |
| SHA256 | 91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f |
| SHA512 | 48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e |
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
| MD5 | ad9d7cbdb4b19fb65960d69126e3ff68 |
| SHA1 | dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d |
| SHA256 | a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326 |
| SHA512 | f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7 |
memory/3284-5071-0x00000000734D0000-0x0000000073C81000-memory.dmp
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
| MD5 | 13a91913194e332beb95142e083f25cd |
| SHA1 | 0dced7b0ff24c027f2fa15b8d70af8aed4ef713f |
| SHA256 | 70bc64233308eb16b33dac7fd03b671c87940ebb2ac5edeb83b8813a1280767a |
| SHA512 | 56b62e5a5db5c914dea98ec01dcb11b1addf93be3ad72de2c67382425564d1fd3cae963257357c04ba38132c38655fadaa28ec287b8b4eca1fd0ff7981979b11 |
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
| MD5 | 4d592fd525e977bf3d832cdb1482faa0 |
| SHA1 | 131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef |
| SHA256 | f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6 |
| SHA512 | afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8f2eb94e31cadfb6eb07e6bbe61ef7ae |
| SHA1 | 3f42b0d5a90408689e7f7941f8db72a67d5a2eab |
| SHA256 | d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de |
| SHA512 | 9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d56e8f308a28ac4183257a7950ab5c89 |
| SHA1 | 044969c58cef041a073c2d132fa66ccc1ee553fe |
| SHA256 | 0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae |
| SHA512 | fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5216f46f84a9acb8e41028e93188aaf8 |
| SHA1 | 8d19e3810dd323450aa85142b56b93b7cb385e48 |
| SHA256 | f0526b4983a01defc994cf5ea2ec7c6f35a5be895b29bcef684d65f04fb45161 |
| SHA512 | 7bc0d24fc31daac13304881b98e1fad3779c4d640e9328c8e627dcbe6f2565b28e8e0bba210ffd43f6de507c325c50836d19d0356aa13dccd8a56e39a0a47fc0 |
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
| MD5 | 683ff2db80b51ad96989e9246c57892d |
| SHA1 | 0bcfa7effd0c0bff639e64e6bd30572d200f08f9 |
| SHA256 | 6e20c166f8d0a069e930be06fbec5b0f8cdb4fb5916f551c1504f6077058e5bd |
| SHA512 | 6f163f64a997fc49430a61bd3a02a19adc8967e643f5089049054265c1295bcaa3174e6af877e463ffe702a670d94450687ee9503f68964e53df035c8bebd060 |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 0d58ad48baf52d1542c89c0d98229d0e |
| SHA1 | 020875975beec12facf261d11e59e66e2d36ea62 |
| SHA256 | 3b2a71821c9623f54de504d4062f57d5c808b0e2203bb799e660d00bb8f07d6f |
| SHA512 | acf9104be74bf6c1ff0ecc8730f99b63eebaa5661647f16f48b5b403bec0fb9fbcc14e4109a1360fa548df9ea1b8e12cb3655d905bcf0ccb7d617e489c953d9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |