Description	Indicator	Process	Target
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Windows\system32\drivers\rsElam.sys	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A

Manipulates Digital Signatures

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoDecode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoDecode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\FuncName = "WVTAsn1SpcLinkDecode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeEncode"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	C:\Windows\SysWOW64\regsvr32.exe	N/A

Possible privilege escalation attempt

exploit

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\icacls.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\takeown.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\takeown.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\icacls.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\icacls.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\takeown.exe	N/A

Modifies file permissions

discovery

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\icacls.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\icacls.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\takeown.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\icacls.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\takeown.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\takeown.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	C:\Windows\system32\rundll32.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log	C:\Program Files\ReasonLabs\EPP\rsWSC.exe	N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description	Indicator	Process	Target
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast-wss.png	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\new-tab-toasts.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-fr-FR.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File opened for modification	C:\Program Files\McAfee\Temp2109176641\webadvisor.cab	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	N/A
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
File created	C:\Program Files\ldplayer9box\host_manager.dll	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_tooltip_2.png	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\telemetry.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\installdate.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\x64\downloadscan.dll	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\error_transmitter.js	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
File created	C:\Program Files\McAfee\Temp2109176641\icon_failed.png	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	N/A
File created	C:\Program Files\McAfee\Temp2109176641\wa_install_close2.png	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	N/A
File created	C:\Program Files\McAfee\Temp2109176641\jslang\wa-res-shared-sv-SE.js	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-el-GR.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\subdb.js	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\settingsdb.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-nl-NL.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-el-GR.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\locale.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File opened for modification	C:\Program Files\McAfee\Temp2109176641\balloon_safe_annotation.png	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-da-DK.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File opened for modification	C:\Program Files\McAfee\Temp2109176641\jslang\wa-res-install-ko-KR.js	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\mwb\wb-rocket-icon.png	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-pt-BR.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-cs-CZ.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Parallel.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ch-store-overlay-ui.html	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-uninstall-icon.png	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-ja-JP.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-sr-Latn-CS.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\auxiliary\reset_handler.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-da-DK.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-el-GR.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\navigatedtoday.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\searchreset.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\rsBridge.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ss-toast-variants.css	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_logo2.png	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-cs-CZ.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\json2.js	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
File opened for modification	C:\Program Files\McAfee\Temp2109176641\jslang\wa-res-install-sr-Latn-CS.js	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.ValueTuple.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\events.json	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Concurrent.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-sv-SE.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-pt-BR.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-pt-PT.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-el-GR.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-sv-SE.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\analyticscontextconfig.luc	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-nb-NO.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
File created	C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-en-US.js	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\Logs\DISM\dism.log	C:\Windows\SysWOW64\dism.exe	N/A
File opened for modification	C:\Windows\Logs\DISM\dism.log	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
N/A	N/A	C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	N/A
N/A	N/A	C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	N/A
N/A	N/A	C:\Program Files\McAfee\Temp2109176641\installer.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\UIHost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ReasonLabs\EPP\rsWSC.exe	N/A
N/A	N/A	C:\Program Files\ReasonLabs\EPP\rsWSC.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\driverconfig.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\dnplayer.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\vbox-img.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\vbox-img.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\vbox-img.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	N/A

Launches sc.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\sc.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\sc.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\sc.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\sc.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\sc.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\sc.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\sc.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\sc.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\UIHost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\UIHost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\regsvr32.exe	N/A

Registers COM server for autorun

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\""	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	C:\Windows\SYSTEM32\regsvr32.exe	N/A

Enumerates physical storage devices

Checks processor information in registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C:\LDPlayer\LDPlayer9\dnplayer.exe	N/A
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C:\Windows\system32\runonce.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	C:\Windows\system32\runonce.exe	N/A
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C:\LDPlayer\LDPlayer9\dnplayer.exe	N/A

Enumerates system info in registry

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A

Kills process with taskkill

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	C:\LDPlayer\LDPlayer9\dnplayer.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	C:\LDPlayer\LDPlayer9\dnplayer.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	C:\LDPlayer\LDPlayer9\dnplayer.exe	N/A

Modifies data under HKEY_USERS

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	C:\Program Files\McAfee\WebAdvisor\updater.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D612-47D3-89D4-DB3992533948}	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\ = "IMediumIO"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\TypeLib\Version = "1.3"	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\NumMethods\ = "31"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20191216-9CEE-493C-B6FC-64FFE759B3C9}	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\ = "IEventSource"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\ProxyStubClsid32	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\CLSID	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\ProxyStubClsid32	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\TypeLib	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ = "IAudioAdapterChangedEvent"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CLSID	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\TypeLib	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}\ = "ISerialPort"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\TypeLib	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-808e-11e9-b773-133d9330f849}	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ProxyStubClsid32	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\TypeLib\Version = "1.3"	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\NumMethods	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}\NumMethods\ = "13"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\TypeLib	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Ld9BoxSVC.exe\	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\ProxyStubClsid32	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\TypeLib	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ = "INATNetworkCreationDeletionEvent"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ldmnq.ldbk\DefaultIcon	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-b7f1-4a5a-a4ef-a11dd9c2a458}	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\TypeLib\Version = "1.3"	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\TypeLib\Version = "1.3"	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0126-43E0-B05D-326E74ABB356}\ = "IMediumAttachment"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D545-44AA-8013-181B8C288554}\ = "IExtPackPlugIn"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20191216-9CEE-493C-B6FC-64FFE759B3C9}\ = "VirtualBox Application"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ = "IDnDTarget"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ = "IAudioAdapterChangedEvent"	C:\Windows\SysWOW64\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\NumMethods\ = "229"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\NumMethods	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\ = "IHostNetworkInterface"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ = "IFile"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\ = "ICursorPositionChangedEvent"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods	C:\Windows\SysWOW64\regsvr32.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\TypeLib	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\ = "IPerformanceMetric"	C:\Windows\SYSTEM32\regsvr32.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	C:\Windows\SYSTEM32\regsvr32.exe	N/A

Modifies system certificate store

evasion spyware trojan

Description	Indicator	Process	Target
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	C:\Program Files\ReasonLabs\EPP\rsWSC.exe	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	C:\Program Files\ReasonLabs\EPP\rsWSC.exe	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	C:\Program Files\ReasonLabs\EPP\rsWSC.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
N/A	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A
N/A	N/A	C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe	N/A

Suspicious behavior: LoadsDriver

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SYSTEM32\fltmc.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\taskkill.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A
Token: SeDebugPrivilege	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\LDPlayer\LDPlayer9\dnplayer.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\LDPlayer\LDPlayer9\dnplayer.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A
N/A	N/A	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3284 wrote to memory of 1768	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 1768	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 1768	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 244	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 244	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 244	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 1332	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 1332	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 3284 wrote to memory of 1332	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\Windows\SysWOW64\taskkill.exe
PID 1072 wrote to memory of 4468	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe	C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe
PID 1072 wrote to memory of 4468	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe	C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe
PID 1072 wrote to memory of 4468	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe	C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe
PID 4468 wrote to memory of 3992	N/A	C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe
PID 4468 wrote to memory of 3992	N/A	C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe
PID 3992 wrote to memory of 3164	N/A	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 3992 wrote to memory of 3164	N/A	C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe	C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 3284 wrote to memory of 4368	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 3284 wrote to memory of 4368	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 3284 wrote to memory of 4368	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe	C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 4368 wrote to memory of 4760	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 4368 wrote to memory of 4760	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 4368 wrote to memory of 4760	N/A	C:\LDPlayer\LDPlayer9\LDPlayer.exe	C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 4052 wrote to memory of 1080	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
PID 4052 wrote to memory of 1080	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
PID 1080 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	C:\Program Files\McAfee\Temp2109176641\installer.exe
PID 1080 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe	C:\Program Files\McAfee\Temp2109176641\installer.exe
PID 4760 wrote to memory of 1592	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\net.exe
PID 4760 wrote to memory of 1592	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\net.exe
PID 4760 wrote to memory of 1592	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\net.exe
PID 1592 wrote to memory of 1252	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 1592 wrote to memory of 1252	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 1592 wrote to memory of 1252	N/A	C:\Windows\SysWOW64\net.exe	C:\Windows\SysWOW64\net1.exe
PID 4760 wrote to memory of 968	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 968	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 968	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 3008	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 3008	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 3008	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 2092	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 2092	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 2092	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 2356	N/A	C:\Program Files\McAfee\Temp2109176641\installer.exe	C:\Windows\SysWOW64\sc.exe
PID 2932 wrote to memory of 2356	N/A	C:\Program Files\McAfee\Temp2109176641\installer.exe	C:\Windows\SysWOW64\sc.exe
PID 2356 wrote to memory of 5676	N/A	C:\Windows\SYSTEM32\regsvr32.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 5676	N/A	C:\Windows\SYSTEM32\regsvr32.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 5676	N/A	C:\Windows\SYSTEM32\regsvr32.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 2996	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\System32\Conhost.exe
PID 4760 wrote to memory of 2996	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\System32\Conhost.exe
PID 4760 wrote to memory of 2996	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\System32\Conhost.exe
PID 4760 wrote to memory of 6396	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 6396	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 6396	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 2932 wrote to memory of 6412	N/A	C:\Program Files\McAfee\Temp2109176641\installer.exe	C:\Windows\SYSTEM32\regsvr32.exe
PID 2932 wrote to memory of 6412	N/A	C:\Program Files\McAfee\Temp2109176641\installer.exe	C:\Windows\SYSTEM32\regsvr32.exe
PID 4760 wrote to memory of 6432	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 6432	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 6432	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 6636	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 6636	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 6636	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 2276	N/A	C:\LDPlayer\LDPlayer9\dnrepairer.exe	C:\Windows\SysWOW64\takeown.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_31815734_ld.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayerex.exe /T

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM bugreport.exe /T

C:\LDPlayer\LDPlayer9\LDPlayer.exe

"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=31815734 -language=en -path="C:\LDPlayer\LDPlayer9\"

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=3460721671302c939cd507900233e2947ab355fb&dit=20240511220365806&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i

C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe

"C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe" /silent

C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nsq5244.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\p5p5suxl.exe" /silent

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\LDPlayer\LDPlayer9\dnrepairer.exe

"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=590204

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp2109176641\installer.exe

"C:\Program Files\McAfee\Temp2109176641\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Windows\SysWOW64\net.exe

"net" start cryptsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start cryptsvc

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Softpub.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Wintrust.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Initpki.dll /s

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" dssenh.dll /s

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" rsaenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" cryptdlg.dll /s

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t

C:\Windows\SysWOW64\dism.exe

C:\Windows\system32\dism.exe /Online /English /Get-Features

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\A6DB4C41-A880-476E-A8AF-B079848079BE\dismhost.exe {7AE2234D-4366-4266-B6CE-F2303F50A266}

C:\Program Files\McAfee\WebAdvisor\updater.exe

"C:\Program Files\McAfee\WebAdvisor\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" start Ld9BoxSup

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow

C:\LDPlayer\LDPlayer9\driverconfig.exe

"C:\LDPlayer\LDPlayer9\driverconfig.exe"

C:\Windows\SysWOW64\takeown.exe

"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t

C:\LDPlayer\LDPlayer9\dnplayer.exe

"C:\LDPlayer\LDPlayer9\\dnplayer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004B4

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config