hxxps://www[.]ldplayer[.]net/versionshxxps://www[.]ldplayer[.]net/versions

Analysis

max time kernel
114s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
26-05-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.ldplayer.net/versionshttps://www.ldplayer.net/versions

Score

8^/10

discovery execution exploit persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4424 icacls.exe
6416 takeown.exe
6428 icacls.exe
6736 takeown.exe

pid	process
4424	icacls.exe
6416	takeown.exe
6428	icacls.exe
6736	takeown.exe

Executes dropped EXE 10 IoCs

Processes:

LDPlayer9_ens_1001_ld.exesaBSI.exersStubActivator.exe0tfoqmxj.exeRAVEndPointProtection-installer.exersSyncSvc.exersSyncSvc.exeLDPlayer.exeinstaller.exeinstaller.exe

pid	process
5808	LDPlayer9_ens_1001_ld.exe
2204	saBSI.exe
6020	rsStubActivator.exe
952	0tfoqmxj.exe
3080	RAVEndPointProtection-installer.exe
5828	rsSyncSvc.exe
1920	rsSyncSvc.exe
492	LDPlayer.exe
1524	installer.exe
5128	installer.exe

Loads dropped DLL 5 IoCs

Processes:

LDPlayer9_ens_1001_ld.exe0tfoqmxj.exeinstaller.exe

pid process

5808 LDPlayer9_ens_1001_ld.exe
5808 LDPlayer9_ens_1001_ld.exe
5808 LDPlayer9_ens_1001_ld.exe
952 0tfoqmxj.exe
5128 installer.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

6736 takeown.exe
4424 icacls.exe
6416 takeown.exe
6428 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
6736	takeown.exe
4424	icacls.exe
6416	takeown.exe
6428	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeinstaller.exeRAVEndPointProtection-installer.exe

description	ioc	process
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\postinit.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\triggeracceptor.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\stringutils.luc	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\eula-fr-FR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\tests_logic.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\providers\yahoo.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\uihandler.luc	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\mcafee_pc_install_icon2.png	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\eula-da-DK.txt	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-en-US.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\analyticsmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\resource.dll	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\uninstaller.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\lookupmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\wa_install_check.png	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\logic_loader.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_utils_wss.luc	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\servicehost.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\eula-tr-TR.txt	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\eula-zh-TW.txt	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\eula-nl-NL.txt	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\handlers.luc	installer.exe
File created	C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\taskmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\webadvisor.ico	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\base_provider.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\class.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\priorityqueue.luc	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\eula-nb-NO.txt	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\browserplugin.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\browserutils.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\logger.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\green_check.png	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\wa-core.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_utils_wps.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\usage_calculation.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util_selector.luc	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\wa-utils.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\dkjson.luc	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\downloadscan.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1407560885\wssdep.cab	installer.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

7752 sc.exe
9600 sc.exe
9640 sc.exe
7424 sc.exe
7696 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
7752	sc.exe
9600	sc.exe
9640	sc.exe
7424	sc.exe
7696	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5228 taskkill.exe
2076 taskkill.exe
5696 taskkill.exe
3948 taskkill.exe

pid	process
5228	taskkill.exe
2076	taskkill.exe
5696	taskkill.exe
3948	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

saBSI.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 366305.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeLDPlayer9_ens_1001_ld.exesaBSI.exeLDPlayer.exe

pid	process
2788	msedge.exe
2788	msedge.exe
1480	msedge.exe
1480	msedge.exe
4664	identity_helper.exe
4664	identity_helper.exe
388	msedge.exe
388	msedge.exe
5348	msedge.exe
5348	msedge.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
2204	saBSI.exe
2204	saBSI.exe
2204	saBSI.exe
2204	saBSI.exe
2204	saBSI.exe
2204	saBSI.exe
2204	saBSI.exe
2204	saBSI.exe
2204	saBSI.exe
2204	saBSI.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
5808	LDPlayer9_ens_1001_ld.exe
492	LDPlayer.exe
492	LDPlayer.exe
492	LDPlayer.exe
492	LDPlayer.exe
492	LDPlayer.exe
492	LDPlayer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exe

pid	process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer9_ens_1001_ld.exetaskkill.exetaskkill.exersStubActivator.exetaskkill.exetaskkill.exeRAVEndPointProtection-installer.exeLDPlayer.exe

description	pid	process
Token: SeDebugPrivilege	5808	LDPlayer9_ens_1001_ld.exe
Token: SeShutdownPrivilege	5808	LDPlayer9_ens_1001_ld.exe
Token: SeCreatePagefilePrivilege	5808	LDPlayer9_ens_1001_ld.exe
Token: SeDebugPrivilege	5228	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	6020	rsStubActivator.exe
Token: SeDebugPrivilege	5696	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	3080	RAVEndPointProtection-installer.exe
Token: SeShutdownPrivilege	3080	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	3080	RAVEndPointProtection-installer.exe
Token: SeTakeOwnershipPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe
Token: SeDebugPrivilege	492	LDPlayer.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exe

pid	process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LDPlayer9_ens_1001_ld.exeLDPlayer.exe

pid process

5808 LDPlayer9_ens_1001_ld.exe
492 LDPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1480 wrote to memory of 1868	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 1868	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 3636	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 2788	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 2788	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe
PID 1480 wrote to memory of 4172	1480	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/versionshttps://www.ldplayer.net/versions
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7ce53cb8,0x7ffe7ce53cc8,0x7ffe7ce53cd8
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
2⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
2⤵
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
2⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
2⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8
2⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
2⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
2⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
2⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
2⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
2⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
2⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
2⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8348 /prefetch:1
2⤵
PID:5712

C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5808

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5228

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5696

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:492

C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=328190
4⤵
PID:6384

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
5⤵
PID:2772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
6⤵
PID:4364

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
5⤵
PID:6324

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
5⤵
PID:6604

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
5⤵
PID:6352

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
5⤵
PID:6640

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
5⤵
PID:3700

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
5⤵
PID:884

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
5⤵
PID:6648

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6736

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4424

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6416

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6428

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
5⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\605D8D31-90D3-4854-8D8B-3D58D38F84CB\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\605D8D31-90D3-4854-8D8B-3D58D38F84CB\dismhost.exe {89361D47-B554-42CE-BA37-46D51C953B10}
6⤵
PID:980

C:\Windows\SysWOW64\sc.exe
sc query HvHost
5⤵
- Launches sc.exe
PID:7424

C:\Windows\SysWOW64\sc.exe
sc query vmms
5⤵
- Launches sc.exe
PID:7696

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
5⤵
- Launches sc.exe
PID:7752

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
5⤵
PID:7548

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
5⤵
PID:8216

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
5⤵
PID:8236

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
5⤵
PID:8272

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
5⤵
PID:9564

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
5⤵
- Launches sc.exe
PID:9600

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
5⤵
- Launches sc.exe
PID:9640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
5⤵
PID:9700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
2⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
2⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1
2⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:1
2⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2
2⤵
PID:6868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1524

C:\Program Files\McAfee\Temp1407560885\installer.exe
"C:\Program Files\McAfee\Temp1407560885\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5128

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
4⤵
PID:6548

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
5⤵
PID:908

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
4⤵
PID:1960

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
4⤵
PID:768

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
5⤵
PID:5256

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
4⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=3d8d521d20e0420170266ce4f4398e094d32e2f1&dit=20240526153556242&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6020

C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe
"C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe" /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe" /silent
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
4⤵
- Executes dropped EXE
PID:5828

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
4⤵
PID:7640

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
PID:7896

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:7472

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
4⤵
PID:8036

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
4⤵
PID:6748

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
4⤵
PID:9332

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
4⤵
PID:9372

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:1920

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:2132

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
PID:6728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:4692

C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
2⤵
PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
3⤵
PID:7044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
3⤵
PID:6360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:244

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:8640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp1407560885\analyticsmanager.cab
Filesize
1.8MB

MD5
dc4e5a62f9c5b04c8d3d20db961371f5

SHA1
12fb6ac6d3722a8bce60f77ca808e5959de95e02

SHA256
f43f800d8d85d7c5af3bbfa5b2ea13d183be8e8ad57f7a7fa4475bf603a693e9

SHA512
c684d5c877045855df3ceffa525dffbc53d55b3559d1dca19e10c586f2db7085cb395a6f933eccf8f2248e6338dcbad294b54014f1befb6b2534879413aa3531

Download Submit
C:\Program Files\McAfee\Temp1407560885\analyticstelemetry.cab
Filesize
58KB

MD5
1d8f7c95a72a600b371e819b678be0f0

SHA1
7d544961dee72463f43afe8fdadd7a5bbb14a75f

SHA256
27f810a794170a97e430dc29a26169dec6bcea373ee000785ac089cac058770a

SHA512
95987dd1f3e2de393c9f5c201b89fe4a24d6581d7a036ad5124d5d9ccb9df76ada28dff504f87bb6abcb1b1d7a4832fb57e4204e6e5c9a882bfc823e7f3189a3

Download Submit
C:\Program Files\McAfee\Temp1407560885\browserhost.cab
Filesize
1.2MB

MD5
ef297ee03d8ea0240a1821bcaccc1bb1

SHA1
01825ee74143242054e399d7dcd89c1e2edb692e

SHA256
b0004747c1da4ee30f93065bddda1e471338f07024d06e912cdf281333f7a0f3

SHA512
ac13a462e29b015990e2511eec9d8a3b6e224666b815a746294039296832a2699ea0f666b1a41efbe84fe145f213df297624ca69fec5f41533c247c289d3cb8d

Download Submit
C:\Program Files\McAfee\Temp1407560885\browserplugin.cab
Filesize
4.9MB

MD5
3afc7a2ed10d7804ee588a669a154ab2

SHA1
b5cc1d0eb51e389fd5c49a0ff354ca576e402f7d

SHA256
f7f7c0fabe6d53a3e09aeb38648302523cdae1efb427205661c5567257156313

SHA512
b3d4770cb4f9c7ca98f2d655dc7bfeac06e49cabf6934a043c92e9b8959994cae55006190e88f9684dd747e26a060de80c38b922a15a0f03d0325f2915f23c34

Download Submit
C:\Program Files\McAfee\Temp1407560885\downloadscan.cab
Filesize
2.2MB

MD5
830597a39c23a1d6234ef1eb5f9476e2

SHA1
ebb05cfb80da8a6d95b4123833f6b7f0c9230328

SHA256
dce5dc71a095b82388b5945ddbdfed67a25686df0e89a3ef64681eb6a85743da

SHA512
7aa363ffbb13cbf35db4da3ca5c56588cab5737b8eacea273ba0f94c7014c849f0f080b6fdfa7a72d4981af6f4fc3aec9c5b173e0a744c9b28cd597b8c7784ed

Download Submit
C:\Program Files\McAfee\Temp1407560885\eventmanager.cab
Filesize
1.5MB

MD5
4d640a7698ce8a63be145717d1384bb7

SHA1
2aba5a5d24b66cb49da317311b8a531f993a170f

SHA256
de0b3de2af79a643e4b7712563a486786f470574792ab2e655aeeb20686ac116

SHA512
f268c6cf2c638ca16aafa26c2da8cf7822c0ff2415d56df31ea91a2d79380012ef388e7a67be508c4f5f5a2f6d54e3c4ca3ee26ee7c4aeb576c69fffc49be25b

Download Submit
C:\Program Files\McAfee\Temp1407560885\installer.exe
Filesize
2.9MB

MD5
b2b02a72e98408c9e0ebd5036bd7a092

SHA1
6d95b41ee0b8d6445e8d52048b4013afaf78109c

SHA256
b2c1ad8af3439bc7458130400bd213dd3db5aee8f49e295027c97b11dbe6bf58

SHA512
b74afa38d91f41b0ffd445999905d6a2f2a88bd796b0ced6c55db10de62c7ee468cc27e94f701bca59cfa6819b22869ce33193446cec0db69eccec1dfe85654f

Download Submit
C:\Program Files\McAfee\Temp1407560885\l10n.cab
Filesize
274KB

MD5
5ccc4c0645e5c35756c7a2e8bd6368f1

SHA1
8fb2662037c528993ea3ed80c6384f7b2cfafbff

SHA256
3e3df2de1e9122e6f0c556e1fd557829a6f05c1d95e56ebfe7f25865825157c7

SHA512
63da51cf8beb96f7fa3d27bd62e6655870c8e193809848450ccdd36dd28765e240279af744a54c586431e28cc02312c00ba439a205fe8725059927a3a316157e

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
73KB

MD5
6f97cb1b2d3fcf88513e2c349232216a

SHA1
846110d3bf8b8d7a720f646435909ef80bbcaa0c

SHA256
6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272

SHA512
2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
Filesize
333KB

MD5
555033ada2832dbb1fe7c44beaf9851e

SHA1
5d58f893215b1a776a02ec19cc5fe3c35f59ef42

SHA256
24b19c67ff6b6492e76cb525b88489f93c5fe4e6910d146b0bc9d0a7dc890e2c

SHA512
7b50527d69e411aea832711f51d29da84a05a51d6ab4b5f4e754be565bb9bd41ef08051ea366e8d6061abc26abb1377775b29ce63876bf788b6b19b9a2eb3063

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll
Filesize
1.1MB

MD5
84595dac668b842a044a3045e2245627

SHA1
f9eb2f8c19b28743e095ac3cd510d8b85e909c20

SHA256
747ccb6d77d99aeb867b08b92e9804ae222f1809d767359f8535adf8f5e03e5b

SHA512
8564bd487e002f300c636936fc26d8019135a43ae71797424c9ec161c466346a24dd420339c628dc7566b67cc0c64d93f055061700aaf1c62a1db56bc0e7ea27

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
Filesize
347KB

MD5
4886ebd59ff6473e5953f1c0500fbb3e

SHA1
1be2d630be3d2662665bd79c92fbbc5d75327335

SHA256
55afb6b03acf5666b639952ea09318f2431dda0e2e7486d50c2be49be848c02d

SHA512
b0c4faf8b10162a175da075cca7e5ca179de62704b27464f1855a73dbf6a545050f828c1ca47148b6e31574d52fcdaaf86374771ef35619406552a81b9ffbd67

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config
Filesize
5KB

MD5
9ac767636384aefbe78cf0287a6a4873

SHA1
aa707666cc97b654c3001c57b39d45950e253fd9

SHA256
b34c5a5f66a49de1ab02487e15ab6d0a667244f2aea3f95afdc7a5ed1c1d735c

SHA512
ed9114ec6dab10067a6e9d326658bfe567d7d07bb95c514f428813d3a9512225edf5ed9de773114c231535c3761a84ecf15e97d082b97e690eabf4134f8f689b

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
Filesize
2.2MB

MD5
0678a30cb21fd2f510d570ded7ff1641

SHA1
a25625e520e5a39ce0e536096f75edbcdd49ddab

SHA256
345442b06ec29a461ad61bb35e13d7c8d87ee136b9ad172f12b17b2a9da7c69b

SHA512
7de35b4861a1ce05b34244773644b9f8039a0e2795432007762c0149978d1917d4007e79df793faaece4106cf6de7f991d753749529ec1753a92d122c63f6696

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
44ec7dd32a7d188d912aa8cce5b762f0

SHA1
7bd9a6f2fa778cf6d05f912910068f656a45dc47

SHA256
20b34766bc0db3e29570e87ea2c30a979ed51d46243cf17e1fe3c258b5cd79c4

SHA512
69f3c8493e8be2fede1c1584dc98fd27da1de9965dfcf9fd8c907d9c25c19899f36c83b8558c1eda94e798e051c5755148ef76185810675389e5b39a53ac0b63

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
1fb4f7d7febe7f1b57e571d95ba9c1a7

SHA1
6d159853870f202ad9f795e0541349d7905952a6

SHA256
7b364a1bd9477e7d8a6d1117c5b0a7a3708a948fbbb257c1411e2dd0dfd02866

SHA512
37b11251efc955bf85ae4addf8d7f07da5685aa1bdf8ea65e395b99f982df813195919e2f54e3b7e9e8c541bae11e3cb4b44fe6fa13b16c5a50a164c20269f15

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
e27ab22add94519650aa7e5124afe1b7

SHA1
1f21f96f7b9531f8ac4caa77d6996b0c99bb54c5

SHA256
600eae68efc5eff4c9ebe0b0be2f2501110d9ccc83ef080df0aa995c02c86231

SHA512
0f470144d0cf0303dd2d1e3c497cff2dd69c07c60d76d5a603fea2312b57557ab1c54fccacf03227a18217eea50c38ce0078e07750a2e6696f648103185644da

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
f7638f5b613517acc073ac59a484ce28

SHA1
6d71dd3ad384f26ccc6dfa13a5bbc8474aca53b7

SHA256
11015feb4736920f83dd594ded08aded534d638b2908a9afd779a35bf8fadc52

SHA512
f9ff2142f032f3b9e21eafc20ce8a88e64ea8665cc76a7eff5c24150a300f2883f6827aa91c7aee37d3359d8a159e537c553df11cabd048a1c4c8a03e54c7928

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
8b7c62ce75e4e301677ad4d127625d3e

SHA1
fa6978fa60540be4aeb7b3a35a93039be99d24ea

SHA256
a26fb9250d98e1da577e4f39c50d1faf37efff7d58c6404624e007e889031765

SHA512
e621a25d8562c28821d06496eedd4fb077f6b80b73c15ea3bf63e48ba1c661d44cabbe8ed7433be4cd527497f79cfb9437cb04ac7ac1e35b2a2185d88cacb4b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
54199065126bcf4724de7a6da16a70a5

SHA1
0d92f0b7363eddc51942b0f339e5c5003b647806

SHA256
22110b33eff40e848ab2829a44284b62a60947b222f964052696ddd6f3bfe782

SHA512
044a59ecc0bdbcbd1b74aed5b6772fffc0b9e88b56355b6a6d7c1926bf236e57df81e22815a0308d5752c31c234449b374ffd1d3d5b1ed1999ee36deb8ef15cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
9KB

MD5
4f941c0a225a1f4eef989095d679285f

SHA1
496fcb2b8ceeea5ccdbbadec4854d9cbe2bcfc5f

SHA256
d020cc6f4cd9a25f205d48adc68ce9f218f771c07ad0cb47a5e19ae92a768ad2

SHA512
c5cfeea32d8bb28bbaac6ea29281b0d09171f515c73dbf39581bed15c4614a4f012c4319ccfa893ea169b7276d7a90b965da53c572fb8437caa6cbaed4da59ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5a14d2c052f846cc16cd2d6104d2c06c

SHA1
3db738e69b684bdc769869106fda2d2d4c7f84ae

SHA256
81302fe552ff4feceee2be126b8d051716096b7842956ccd4a0cc9dbdd26b6f6

SHA512
5223c0833b719a0d0e5316334b7b69c2d580c98730032dbc1b4c278bd4ec11bc7bb69a697e409a6c011d1d37682996b52704eedb02034c4e3ca4e457631d15bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d212fd42f2555187aa5a88e5699db3bb

SHA1
4d4ec6f1038f5de4f0709de8a41b3a23e9637b99

SHA256
1489558343a2c93e05f6c094e0e73b6d4170ef1d13402d0dff7953e00ac86735

SHA512
e812c567efbd3a97a94547fdeb7cfe72525acff789a18735b20271adc139189c35d6f229df5923083f8a7200b197c7ea82e77f1f29dffadb86270281472e8c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
83e9bbfd381d0dcaff75745bb3fe2d53

SHA1
b6755a72ddd935a0539928413690314f5c460749

SHA256
a2c05c5343ca0915d5c06b25213db498d2b67aeef9c581db2cbe7c30efe574e2

SHA512
6bbb61c21f7edc9b9c3cd4615db5aa94d1af631da260123cc714e32c9f96a51055b4a91af8fb5433b214238c9adc4cdc56ef0c31aa2c050d9f15d106fb94b8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c709.TMP
Filesize
203B

MD5
4de714a5b6a19c476340d5ceb190e9ae

SHA1
d91c50965f583a56fec3b9a7fe63f754acd56d33

SHA256
3518908c842b9caf35571e31c0d7fa1eb73bc61a51e94871e386d6b7f45d81c9

SHA512
478145f7b3375716219958342160a1b0f13643c243c72899f34c221c59c5a237b24839f7855a4e3febae433db060e858fc53fae7af8d4854059ffe19bd89c62d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e6744391f9009656e7afe9935bf97dcf

SHA1
0cf93fcd52c1248e9eb63e7705801f043504e4f2

SHA256
6dc033f6c0167f71e9a39a4fb9338f96206775f88ec0741a7f3ce9538d9030bb

SHA512
93e50fc51e95f0782e98c0827857a16e811a7543557422200a5f0b1c75bb0d69acd6ee9870076cd2e95ae70501b5d0285312c6d1327f161cd94a41d663998196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d32cc40dfb89de0dab11c8753b1a4ec2

SHA1
cad7fb18049b2d526755dec23c7bd60301193bf5

SHA256
dd2ba223314a858b87c29306abd92a52a932e2093f45148630c5ae75db24da8a

SHA512
05264985a47a1a065a1223b13483b27dfebe5114de90f9cbdc8e87e13b54b96b241bf928804e4a059d25cfef31d456d1a89e990ac89929f39057cda86939e7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe
Filesize
1.9MB

MD5
92de8e494af4ab73849ee645c31c9bbe

SHA1
e13572c98948f832ddc53819d359f4a318e496d7

SHA256
4b96805eb395b8235ed4c1ffb815ef591af66670ef64e3b9dd5ed11b41846f0d

SHA512
00d34cda1542858bbc32983ac2e5865ba5b886185265e0eda6ae07863d19c6687a6c35e6de78fa282103556ec3120a615f219b985d0ef10731970625570c89b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
Filesize
28.0MB

MD5
58b8915d4281db10762af30eaf315c9e

SHA1
1e8b10818226fa29bfa5cdd8c2595ba080b72a71

SHA256
c19df49f177f0fecf2d406ef7801a8d0e5641cb8a38b7b859cbf118cb5d0684e

SHA512
49247941a77f26ab599f948c66df21b6439e86d08652caa9b52ffbcefd80a8c685d75c8088361c98dde44936e44746c961f1828a5b9909fecd6ce9e7e6d2f794

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
Filesize
44KB

MD5
dfc5ba68361b2d9dded320a01c0af3c0

SHA1
13f2fc2f2009023b88aa73dba5191c9cf526dd86

SHA256
e13cf3296664d86fb6b52980e86c1964a6001b3b87faeff4d3ae79720594a269

SHA512
9c6e69d3ee97806b75c8e516cecc4f75c355e555430a7d06d9a958ff0804f7835a73cb91a11c0b3aa62d9acfa666ac0c767c554d884336072df31559a3417f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
79KB

MD5
d9cb0b4a66458d85470ccf9b3575c0e7

SHA1
1572092be5489725cffbabe2f59eba094ee1d8a1

SHA256
6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05

SHA512
94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qn5dadnq.s4n.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwa1737.tmp
Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF950.tmp\System.dll
Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\Microsoft.Win32.TaskScheduler.dll
Filesize
340KB

MD5
192d235d98d88bab41eed2a90a2e1942

SHA1
2c92c1c607ba0ca5ad4b2636ea0deb276dcc2266

SHA256
c9e3f36781204ed13c0adad839146878b190feb07df41f57693b99ca0a3924e3

SHA512
d469b0862af8c92f16e8e96c6454398800f22aac37951252f942f044e2efbfd799a375f13278167b48f6f792d6a3034afeace4a94e0b522f45ea5d6ff286a270

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe
Filesize
538KB

MD5
31cb221abd09084bf10c8d6acf976a21

SHA1
1214ac59242841b65eaa5fd78c6bed0c2a909a9b

SHA256
1bbba4dba3eb631909ba4b222d903293f70f7d6e1f2c9f52ae0cfca4e168bd0b

SHA512
502b3acf5306a83cb6c6a917e194ffdce8d3c8985c4488569e59bce02f9562b71e454da53fd4605946d35c344aa4e67667c500ebcd6d1a166f16edbc482ba671

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsAtom.dll
Filesize
156KB

MD5
16d9a46099809ac76ef74a007cf5e720

SHA1
e4870bf8cef67a09103385b03072f41145baf458

SHA256
58fec0c60d25f836d17e346b07d14038617ae55a5a13adfca13e2937065958f6

SHA512
10247771c77057fa82c1c2dc4d6dfb0f2ab7680cd006dbfa0f9fb93986d2bb37a7f981676cea35aca5068c183c16334f482555f22c9d5a5223d032d5c84b04f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsJSON.dll
Filesize
217KB

MD5
afd0aa2d81db53a742083b0295ae6c63

SHA1
840809a937851e5199f28a6e2d433bca08f18a4f

SHA256
1b55a9dd09b1cd51a6b1d971d1551233fa2d932bdea793d0743616a4f3edb257

SHA512
405e0cbcfff6203ea1224a81fb40bbefa65db59a08baa1b4f3f771240c33416c906a87566a996707ae32e75512abe470aec25820682f0bcf58ccc087a14699ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsLogger.dll
Filesize
176KB

MD5
4ece9fa3258b1227842c32f8b82299c0

SHA1
4fdd1a397497e1bff6306f68105c9cecb8041599

SHA256
61e85b501cf8c0f725c5b03c323320e6ee187e84f166d8f9deaf93b2ea6ca0ef

SHA512
a923bce293f8af2f2a34e789d6a2f1419dc4b3d760b46df49561948aa917bb244eda6da933290cd36b22121aad126a23d70de99bb663d4c4055280646ec6c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsStubLib.dll
Filesize
248KB

MD5
98f73ae19c98b734bdbe9dba30e31351

SHA1
9c656eb736d9fd68d3af64f6074f8bf41c7a727e

SHA256
944259d12065d301955931c79a8ae434c3ebccdcbfad5e545bab71765edc9239

SHA512
8ad15ef9897e2ffe83b6d0caf2fac09b4eb36d21768d5350b7e003c63cd19f623024cd73ac651d555e1c48019b94fa7746a6c252cc6b78fdffdab6cb11574a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsSyncSvc.exe
Filesize
795KB

MD5
3068531529196a5f3c9cb369b8a6a37f

SHA1
2c2b725964ca47f4d627cf323613538ca1da94d2

SHA256
688533610facdd062f37ff95b0fd7d75235c76901c543c4f708cfaa1850d6fac

SHA512
7f2d29a46832a9a9634a7f58e2263c9ec74c42cba60ee12b5bb3654ea9cc5ec8ca28b930ba68f238891cb02cf44f3d7ad600bca04b5f6389387233601f7276ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\08870090\ce31ab8e_82afda01\rsAtom.DLL
Filesize
158KB

MD5
c0e115eb5bc2449ca73cd370bcb66ac9

SHA1
7a6ae7f6c00aeeb9a3aef8d8971c2cf20e08a6b6

SHA256
31913b02f7ca4eac19e335f2db7915998db7138c8cda17fd0a162a43ca62818b

SHA512
1ce8c5ce6ddcbde306de1c1e138359a9abc0b1a56dc61146a66ce49285c5e624ae0a24ac9d6d0f7cbec3c8e67b1eaefc1c36eca21a56ef571f818762e9762ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\08ba0673\8ff6af8e_82afda01\rsJSON.DLL
Filesize
219KB

MD5
a10d8940e7153cf5bdec83f51481b48a

SHA1
98915a7da3e830eb9a081393a6477d3d5c6722f3

SHA256
6d6c8530e2d203a7dd838ddffe1ab1a21919a78608e26c80f9cf781c16c1cb83

SHA512
954ae7972b625307e0b123ac35a722d82453c012938f1667fb867639a23a89a3e8e9daca1a7ab0fe906886bf11d2b2c0535eaa663f0b2850412d19202ffcc15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\4d0936d8\8ff6af8e_82afda01\rsLogger.DLL
Filesize
178KB

MD5
572db1ac3da7e1de6d7df097ca616967

SHA1
aab90fe5b4f4f299035dbbab8ab5195c434264b2

SHA256
e2321f6c4f330c2856f047f713143d1e777a6bae47858d92f2861f9f64cda521

SHA512
07ce10821cc26345450b63af39b6288b58d113604fe837c3c4eaa4f062c6756b0f4f0dbae02e621b57fdf60b7412f42cc20cbfc55e1a40c6943eff543acc9037

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\6646d707\3d59b28e_82afda01\rsServiceController.DLL
Filesize
174KB

MD5
3d83a836aec36f388628c88589f78d4b

SHA1
9d567d79a58f14e51ff1919379a8d9e218ffcb5a

SHA256
bf1e77211fe2a32efc6ef1833ffd23f3e720e6ecd363fa5f7199a4c863d41b70

SHA512
01892e60e44697af7f2988dc6cb0ee8b6b1f0b95374cf55a331dd92a6e856b4cb41f173c00c2519fdc20190dbc5b54342f65a2db0da45ae9e44c4b5075fbd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\uninstall.ico
Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 366305.crdownload
Filesize
3.3MB

MD5
52311163022dbd17bb80414f3d18c194

SHA1
d6e0a809eda9724f9cd16770da59ef8b50210c8f

SHA256
6ae4f439c7bb84942e3f3f17b7bb3ba48cee214832b28a38b2f29a985b054cc5

SHA512
7e5480c9deb4a2557e2bec87c750efdaf43d80da6657ad7f088ea9ade1cf7d6c866dab2fc6766acd6dfce8f7de9d1564ade11ad5320671fed19895dc2a3be258

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
266KB

MD5
96267132253daade8e3040426da7007e

SHA1
480d89f28b33cebe634dfa959b03fd28d8dc1a33

SHA256
24c696b4fcc62fae4a4e88c6f1500ec800ed37baec6bd671e1a11044ddcac729

SHA512
c3062e8ed5b3342cac6c5a46114a262652001efa00a68dd938b4421aa7253a5d53485cba122c35a6f3b31efd5e3fbb5cfb928523b5396f7cba87c5bb588f83d4

Download Submit
\??\pipe\LOCAL\crashpad_1480_PAUIMNQVDGSSVWCG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3080-4913-0x000001F3FFDF0000-0x000001F3FFE1E000-memory.dmp

Filesize
184KB

Download
memory/3080-582-0x000001F3FFCF0000-0x000001F3FFD48000-memory.dmp

Filesize
352KB

Download
memory/3080-577-0x000001F3FFAD0000-0x000001F3FFAFA000-memory.dmp

Filesize
168KB

Download
memory/3080-4900-0x000001F3FFC80000-0x000001F3FFCAA000-memory.dmp

Filesize
168KB

Download
memory/3080-4888-0x000001F3FFC80000-0x000001F3FFCB0000-memory.dmp

Filesize
192KB

Download
memory/3080-4875-0x000001F3FFC80000-0x000001F3FFCBA000-memory.dmp

Filesize
232KB

Download
memory/3080-3251-0x000001F398E00000-0x000001F398E56000-memory.dmp

Filesize
344KB

Download
memory/3080-569-0x000001F3FDD90000-0x000001F3FDE18000-memory.dmp

Filesize
544KB

Download
memory/3080-571-0x000001F3FFA50000-0x000001F3FFA90000-memory.dmp

Filesize
256KB

Download
memory/3080-573-0x000001F3FE270000-0x000001F3FE2A0000-memory.dmp

Filesize
192KB

Download
memory/3080-575-0x000001F3FFA90000-0x000001F3FFACA000-memory.dmp

Filesize
232KB

Download
memory/5128-859-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-937-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-1138-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1131-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1079-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1073-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1071-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1064-0x00007FF7468A0000-0x00007FF7468B0000-memory.dmp

Filesize
64KB

Download
memory/5128-1052-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1041-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1039-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1037-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1026-0x00007FF7122C0000-0x00007FF7122D0000-memory.dmp

Filesize
64KB

Download
memory/5128-1024-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1023-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-1020-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-990-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-988-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-982-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-978-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-971-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-968-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-961-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-957-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-944-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

Filesize
64KB

Download
memory/5128-874-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-925-0x00007FF77F660000-0x00007FF77F670000-memory.dmp

Filesize
64KB

Download
memory/5128-923-0x00007FF77F660000-0x00007FF77F670000-memory.dmp

Filesize
64KB

Download
memory/5128-918-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-916-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-880-0x00007FF76E7B0000-0x00007FF76E7C0000-memory.dmp

Filesize
64KB

Download
memory/5128-871-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-870-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-869-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-868-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-867-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-866-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-865-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-864-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-863-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-862-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-861-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-860-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-835-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-872-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-858-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-853-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-851-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-848-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-846-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-1090-0x00007FF705250000-0x00007FF705260000-memory.dmp

Filesize
64KB

Download
memory/5128-1089-0x00007FF705250000-0x00007FF705260000-memory.dmp

Filesize
64KB

Download
memory/5128-896-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

Filesize
64KB

Download
memory/5128-873-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-854-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-836-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-841-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-837-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-838-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-850-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-857-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-852-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-856-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5128-855-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

Filesize
64KB

Download
memory/5808-404-0x00000000094B0000-0x00000000099DC000-memory.dmp

Filesize
5.2MB

Download
memory/5808-423-0x0000000009460000-0x000000000946A000-memory.dmp

Filesize
40KB

Download
memory/5808-400-0x0000000007A40000-0x0000000007AD2000-memory.dmp

Filesize
584KB

Download
memory/5808-399-0x0000000007EF0000-0x0000000008496000-memory.dmp

Filesize
5.6MB

Download
memory/5808-403-0x0000000008F10000-0x0000000008F76000-memory.dmp

Filesize
408KB

Download
memory/5808-396-0x0000000004E60000-0x0000000004E76000-memory.dmp

Filesize
88KB

Download
memory/5808-402-0x0000000008E70000-0x0000000008F0C000-memory.dmp

Filesize
624KB

Download
memory/5808-397-0x00000000741B0000-0x00000000741C6000-memory.dmp

Filesize
88KB

Download
memory/5808-401-0x00000000057E0000-0x0000000005824000-memory.dmp

Filesize
272KB

Download
memory/6020-496-0x0000027DDC030000-0x0000027DDC558000-memory.dmp

Filesize
5.2MB

Download
memory/6020-495-0x0000027DC14F0000-0x0000027DC14F8000-memory.dmp

Filesize
32KB

Download
memory/8640-5342-0x00000234195F0000-0x000002341976C000-memory.dmp

Filesize
1.5MB

Download
memory/8640-5343-0x0000023400BF0000-0x0000023400C0A000-memory.dmp

Filesize
104KB

Download
memory/8640-5344-0x0000023400C20000-0x0000023400C42000-memory.dmp

Filesize
136KB

Download
memory/8640-5341-0x00000234197E0000-0x0000023419B46000-memory.dmp

Filesize
3.4MB

Download
memory/9372-5140-0x000001D7805D0000-0x000001D7805FE000-memory.dmp

Filesize
184KB

Download
memory/9372-5154-0x000001D782210000-0x000001D782222000-memory.dmp

Filesize
72KB

Download
memory/9372-5155-0x000001D782270000-0x000001D7822AC000-memory.dmp

Filesize
240KB

Download
memory/9372-5141-0x000001D7805D0000-0x000001D7805FE000-memory.dmp

Filesize
184KB

Download
memory/9700-5346-0x0000000005410000-0x0000000005446000-memory.dmp

Filesize
216KB

Download
memory/9700-5348-0x0000000005AE0000-0x0000000005B02000-memory.dmp

Filesize
136KB

Download
memory/9700-5347-0x0000000005C30000-0x000000000625A000-memory.dmp

Filesize
6.2MB

Download
memory/9700-5354-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/9700-5358-0x0000000006340000-0x0000000006697000-memory.dmp

Filesize
3.3MB

Download
memory/9700-5364-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/9700-5365-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/9700-5366-0x0000000007740000-0x0000000007774000-memory.dmp

Filesize
208KB

Download
memory/9700-5367-0x000000006E8A0000-0x000000006E8EC000-memory.dmp

Filesize
304KB

Download
memory/9700-5376-0x0000000006D70000-0x0000000006D8E000-memory.dmp

Filesize
120KB

Download
memory/9700-5377-0x0000000007990000-0x0000000007A34000-memory.dmp

Filesize
656KB

Download
memory/9700-5379-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/9700-5378-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/9700-5380-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/9700-5381-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/9700-5382-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

Filesize
68KB

Download
memory/9700-5383-0x0000000007D10000-0x0000000007D1E000-memory.dmp

Filesize
56KB

Download
memory/9700-5384-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

Filesize
104KB

Download