Malware Analysis Report

2024-09-11 05:55

Sample ID 240526-sz38rsbc51
Target https://www.ldplayer.net/versionshttps://www.ldplayer.net/versions
Tags
discovery execution exploit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://www.ldplayer.net/versionshttps://www.ldplayer.net/versions was found to be: Likely malicious.

Malicious Activity Summary

discovery execution exploit persistence spyware stealer

Downloads MZ/PE file

Possible privilege escalation attempt

Creates new service(s)

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Kills process with taskkill

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

NTFS ADS

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
System Services
T1569
Service Execution
T1569.002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-26 15:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 15:34

Reported

2024-05-26 15:37

Platform

win11-20240419-en

Max time kernel

114s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/versionshttps://www.ldplayer.net/versions

Signatures

Creates new service(s)

persistence execution

Downloads MZ/PE file

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
N/A N/A C:\Program Files\McAfee\Temp1407560885\installer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe N/A
N/A N/A C:\Program Files\McAfee\Temp1407560885\installer.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-zh-TW.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\postinit.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\triggeracceptor.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\stringutils.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\eula-fr-FR.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-da-DK.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-fi-FI.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\tests_logic.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\providers\yahoo.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\uihandler.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\mcafee_pc_install_icon2.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\eula-da-DK.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-en-US.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\analyticsmanager.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\resource.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\uninstaller.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-pt-BR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\lookupmanager.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\wa_install_check.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-nl-NL.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-de-DE.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-cs-CZ.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\logic_loader.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_utils_wss.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\servicehost.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\eula-tr-TR.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\eula-zh-TW.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\eula-nl-NL.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-pt-PT.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-pt-PT.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-ru-RU.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\handlers.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\taskmanager.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\webadvisor.ico C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-sr-Latn-CS.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-fr-CA.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-fr-FR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\base_provider.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\class.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\priorityqueue.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\eula-nb-NO.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-hr-HR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-zh-CN.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\browserplugin.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-pl-PL.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\browserutils.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\logger.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\green_check.png C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\wa-core.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-fi-FI.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_utils_wps.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\usage_calculation.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util_selector.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\wa-utils.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-fr-CA.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-tr-TR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-el-GR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-install-nb-NO.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-ko-KR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\jslang\wa-res-shared-sv-SE.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\dkjson.luc C:\Program Files\McAfee\Temp1407560885\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\downloadscan.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1407560885\wssdep.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 366305.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 3636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 2788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 2788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/versionshttps://www.ldplayer.net/versions

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7ce53cb8,0x7ffe7ce53cc8,0x7ffe7ce53cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8348 /prefetch:1

C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe

"C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:1

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayer.exe /T

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=3d8d521d20e0420170266ce4f4398e094d32e2f1&dit=20240526153556242&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayerex.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM bugreport.exe /T

C:\LDPlayer\LDPlayer9\LDPlayer.exe

"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"

C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe

"C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe" /silent

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe" /silent

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp1407560885\installer.exe

"C:\Program Files\McAfee\Temp1407560885\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"

C:\LDPlayer\LDPlayer9\dnrepairer.exe

"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=328190

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\SysWOW64\net.exe

"net" start cryptsvc

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start cryptsvc

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Softpub.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Wintrust.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" dssenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" rsaenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" cryptdlg.dll /s

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15791961112569688832,3616379420311220247,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1720 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t

C:\Windows\SysWOW64\dism.exe

C:\Windows\system32\dism.exe /Online /English /Get-Features

C:\Users\Admin\AppData\Local\Temp\605D8D31-90D3-4854-8D8B-3D58D38F84CB\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\605D8D31-90D3-4854-8D8B-3D58D38F84CB\dismhost.exe {89361D47-B554-42CE-BA37-46D51C953B10}

C:\Program Files\McAfee\WebAdvisor\updater.exe

"C:\Program Files\McAfee\WebAdvisor\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" start Ld9BoxSup

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ldplayer.net udp
US 163.181.154.234:443 ldcdn.ldmnq.com tcp
US 163.181.154.234:443 ldcdn.ldmnq.com tcp
US 104.26.4.6:443 cmp.setupcmp.com tcp
US 104.26.4.6:443 cmp.setupcmp.com tcp
GB 3.162.20.81:443 cdn.ldplayer.net tcp
US 104.26.4.6:443 cmp.setupcmp.com tcp
FR 142.250.179.78:443 fundingchoicesmessages.google.com tcp
GB 3.162.20.81:443 cdn.ldplayer.net tcp
FR 142.250.179.78:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
GB 3.162.20.98:443 apien.ldplayer.net tcp
FR 142.250.178.142:443 apis.google.com tcp
SG 8.219.223.66:443 usersdk.ldmnq.com tcp
FR 142.250.178.142:443 apis.google.com udp
SG 8.219.223.66:443 usersdk.ldmnq.com tcp
US 163.181.154.234:443 ldcdn.ldmnq.com tcp
BE 74.125.206.84:443 accounts.google.com tcp
FR 142.250.179.66:443 googleads.g.doubleclick.net tcp
BE 74.125.206.84:443 accounts.google.com udp
US 8.8.8.8:53 66.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 163.181.154.241:443 res.ldplayer.net tcp
FR 142.250.179.118:443 play-lh.googleusercontent.com tcp
FR 142.250.179.118:443 play-lh.googleusercontent.com tcp
US 104.18.30.49:443 stpd.cloud tcp
NL 23.63.101.152:80 apps.identrust.com tcp
FR 142.250.179.66:443 googleads.g.doubleclick.net udp
FR 142.250.179.97:443 tpc.googlesyndication.com tcp
FR 142.250.201.162:443 www.googletagservices.com tcp
FR 142.250.179.97:443 tpc.googlesyndication.com udp
FR 172.217.20.196:443 www.google.com tcp
GB 18.172.89.125:443 tagan.adlightning.com tcp
US 8.8.8.8:53 bidder.criteo.com udp
DE 162.19.138.120:443 lb.eu-1-id5-sync.com tcp
NL 185.184.8.90:443 prebid-eu.creativecdn.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 104.26.9.178:443 prebid-stag.setupad.net tcp
US 104.26.9.178:443 prebid-stag.setupad.net tcp
NL 145.40.97.67:443 prebid.a-mo.net tcp
DK 37.157.6.233:443 adx.adform.net tcp
US 172.64.153.78:443 mp.4dex.io tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
NL 178.250.1.8:443 bidder.criteo.com tcp
US 104.26.8.169:443 script.4dex.io tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 35.186.253.211:443 rtb.openx.net tcp
NL 185.106.140.18:443 rtb.adxpremium.services tcp
GB 3.162.21.19:443 c.amazon-adsystem.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
NL 185.184.8.90:443 prebid-eu.creativecdn.com tcp
FR 91.134.110.132:443 ssbsync-global.smartadserver.com tcp
US 104.26.8.169:443 script.4dex.io tcp
US 8.8.8.8:53 67.97.40.145.in-addr.arpa udp
US 8.8.8.8:53 78.153.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.6.157.37.in-addr.arpa udp
US 8.8.8.8:53 169.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 229.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 8.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 18.140.106.185.in-addr.arpa udp
US 104.18.23.145:443 cadmus.script.ac tcp
DE 162.19.138.120:443 lb.eu-1-id5-sync.com tcp
GB 18.165.160.56:443 config.aps.amazon-adsystem.com tcp
GB 18.172.93.140:443 aax.amazon-adsystem.com tcp
FR 216.58.213.91:443 storage.googleapis.com tcp
FR 216.58.213.91:443 storage.googleapis.com tcp
NL 81.17.55.161:443 prg.smartadserver.com tcp
US 104.22.52.86:443 cdn.id5-sync.com tcp
DE 184.30.211.26:443 secure.cdn.fastclick.net tcp
DE 184.30.211.26:443 secure.cdn.fastclick.net tcp
GB 18.172.89.8:443 tags.crwdcntrl.net tcp
NL 178.250.1.11:443 dnacdn.net tcp
US 104.22.52.173:443 cdn.hadronid.net tcp
US 8.8.8.8:53 161.55.17.81.in-addr.arpa udp
US 8.8.8.8:53 cm.adform.net udp
DE 51.89.9.251:443 onetag-sys.com tcp
IE 63.33.74.9:443 bcp.crwdcntrl.net tcp
DK 37.157.6.233:443 cm.adform.net tcp
DK 37.157.6.233:443 cm.adform.net tcp
DE 51.89.9.251:443 onetag-sys.com udp
US 8.8.8.8:53 id.hadron.ad.gt udp
DE 37.252.171.52:443 ib.adnxs.com tcp
NL 82.145.213.8:443 t.adx.opera.com tcp
NL 69.173.156.148:443 pixel-eu.rubiconproject.com tcp
NL 69.173.156.149:443 pixel-eu.rubiconproject.com tcp
GB 185.64.190.79:443 image8.pubmatic.com tcp
US 216.200.232.253:443 sync.mathtag.com tcp
US 80.77.87.166:443 cs.admanmedia.com tcp
US 172.67.40.173:443 spl.zeotap.com tcp
FR 154.54.250.81:443 ads.stickyadstv.com tcp
US 104.22.5.69:443 id.hadron.ad.gt tcp
DE 18.157.153.25:443 rtb.mfadsrvr.com tcp
FR 142.250.201.162:443 www.googletagservices.com udp
FR 216.58.215.34:443 cm.g.doubleclick.net tcp
US 80.77.87.166:443 cs.admanmedia.com tcp
FR 216.58.214.161:443 1fd9023a8aae93040739ebc1238db062.safeframe.googlesyndication.com tcp
NL 89.207.16.146:443 proc.ad.cpe.dotomi.com tcp
US 35.244.159.8:443 setupad-d.openx.net tcp
NL 35.214.149.91:443 x.bidswitch.net tcp
FR 216.58.215.34:443 cm.g.doubleclick.net tcp
NL 35.214.149.91:443 x.bidswitch.net tcp
US 35.244.159.8:443 setupad-d.openx.net udp
US 104.22.4.69:443 id.hadron.ad.gt tcp
BE 104.68.78.171:443 secure-assets.rubiconproject.com tcp
US 8.8.8.8:53 148.156.173.69.in-addr.arpa udp
US 8.8.8.8:53 52.171.252.37.in-addr.arpa udp
US 8.8.8.8:53 81.250.54.154.in-addr.arpa udp
US 8.8.8.8:53 69.5.22.104.in-addr.arpa udp
US 8.8.8.8:53 25.153.157.18.in-addr.arpa udp
US 8.8.8.8:53 253.232.200.216.in-addr.arpa udp
US 8.8.8.8:53 146.16.207.89.in-addr.arpa udp
US 8.8.8.8:53 161.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 166.87.77.80.in-addr.arpa udp
US 8.8.8.8:53 8.159.244.35.in-addr.arpa udp
US 8.8.8.8:53 91.149.214.35.in-addr.arpa udp
US 8.8.8.8:53 34.215.58.216.in-addr.arpa udp
NL 178.250.1.3:443 static.criteo.net tcp
BE 2.21.18.175:443 eus.rubiconproject.com tcp
US 34.149.40.38:443 u.4dex.io tcp
FR 216.58.215.34:443 cm.g.doubleclick.net udp
NL 69.173.156.149:443 pixel-eu.rubiconproject.com tcp
DE 159.89.25.223:443 node.setupad.com tcp
FR 216.58.213.65:443 cdn.ampproject.org tcp
FR 216.58.213.65:443 cdn.ampproject.org tcp
FR 216.58.213.65:443 cdn.ampproject.org tcp
FR 216.58.213.65:443 cdn.ampproject.org tcp
FR 216.58.213.65:443 cdn.ampproject.org tcp
US 34.149.40.38:443 u.4dex.io udp
FR 142.250.179.97:443 tpc.googlesyndication.com udp
FR 172.217.20.196:443 www.google.com udp
FR 142.250.201.162:443 www.googletagservices.com udp
US 52.46.128.147:443 s.amazon-adsystem.com tcp
NL 185.235.87.14:443 ag.gbc.criteo.com tcp
NL 178.250.1.9:443 dis.criteo.com tcp
NL 81.17.55.116:443 rtb-csync.smartadserver.com tcp
NL 81.17.55.116:443 rtb-csync.smartadserver.com tcp
DE 91.228.74.244:443 cms.quantserve.com tcp
NL 81.17.55.116:443 rtb-csync.smartadserver.com tcp
DE 57.129.18.105:443 wt.rqtrk.eu tcp
NL 145.40.97.66:443 sync.a-mo.net tcp
DE 85.114.159.93:443 dsp.adfarm1.adition.com tcp
US 104.21.48.215:443 adxbid.info tcp
US 52.223.40.198:443 match.adsrvr.org tcp
US 151.101.2.49:443 sync-tm.everesttech.net tcp
NL 208.93.169.131:443 bh.contextweb.com tcp
US 13.248.245.213:443 eb2.3lift.com tcp
US 104.19.158.19:443 assets.a-mo.net tcp
FR 185.235.86.223:443 gem.gbc.criteo.com tcp
US 8.8.8.8:53 66.97.40.145.in-addr.arpa udp
US 8.8.8.8:53 215.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 198.40.223.52.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 93.159.114.85.in-addr.arpa udp
US 8.8.8.8:53 213.245.248.13.in-addr.arpa udp
US 8.8.8.8:53 131.169.93.208.in-addr.arpa udp
US 8.8.8.8:53 19.158.19.104.in-addr.arpa udp
US 8.8.8.8:53 223.86.235.185.in-addr.arpa udp
NL 79.127.227.46:443 id.a-mx.com tcp
NL 69.173.156.150:443 prebid-server.rubiconproject.com tcp
GB 185.64.190.84:443 ow.pubmatic.com tcp
DE 3.71.149.231:443 ups.analytics.yahoo.com tcp
US 8.2.110.113:443 as.ck-ie.com tcp
GB 195.181.164.15:443 vid.vidoomy.com tcp
US 104.18.38.233:80 crt.sectigo.com tcp
US 104.18.36.155:443 ssum.casalemedia.com tcp
GB 195.181.164.16:443 vpaid.vidoomy.com tcp
US 35.186.253.211:443 rtb.openx.net udp
US 209.192.201.180:443 user-sync.adxpremium.services tcp
ES 212.36.83.245:443 a.vidoomy.com tcp
GB 2.21.188.239:443 ads.pubmatic.com tcp
IE 34.252.182.88:443 ap.lijit.com tcp
GB 3.162.19.209:443 d19mtdoi3rn3ox.cloudfront.net tcp
GB 18.172.99.60:443 d1arl2thrafelv.cloudfront.net tcp
GB 18.172.99.60:443 d1arl2thrafelv.cloudfront.net tcp
GB 3.162.20.11:443 encdn.ldmnq.com tcp
GB 18.165.160.71:443 shield.reasonsecurity.com tcp
GB 18.172.99.205:443 d1arl2thrafelv.cloudfront.net tcp
US 52.35.147.103:443 analytics.apis.mcafee.com tcp
GB 18.165.160.71:443 shield.reasonsecurity.com tcp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 3.214.3.211:443 track.analytics-data.io tcp
FR 142.250.75.238:80 www.google-analytics.com tcp
GB 3.162.20.44:443 update.reasonsecurity.com tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 3.214.3.211:443 track.analytics-data.io tcp
GB 3.162.20.112:443 electron-shell.reasonsecurity.com tcp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 3.214.3.211:443 track.analytics-data.io tcp
BE 104.68.84.174:443 home.mcafee.com tcp
BE 104.68.84.174:443 home.mcafee.com tcp
US 52.26.75.78:443 analytics.apis.mcafee.com tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 52.26.75.78:443 analytics.apis.mcafee.com tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 3.214.3.211:443 track.analytics-data.io tcp
GB 3.162.20.60:443 cdn.reasonsecurity.com tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 3.214.3.211:443 track.analytics-data.io tcp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
US 52.26.75.78:443 analytics.apis.mcafee.com tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 3.214.3.211:443 track.analytics-data.io tcp
US 52.26.75.78:443 analytics.apis.mcafee.com tcp
US 104.18.38.233:80 crt.sectigo.com tcp
US 172.64.149.23:80 crt.sectigo.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d0f84c55517d34a91f12cccf1d3af583
SHA1 52bd01e6ab1037d31106f8bf6e2552617c201cea
SHA256 9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c
SHA512 94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

\??\pipe\LOCAL\crashpad_1480_PAUIMNQVDGSSVWCG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ade01a8cdbbf61f66497f88012a684d1
SHA1 9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f
SHA256 f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5
SHA512 fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5a14d2c052f846cc16cd2d6104d2c06c
SHA1 3db738e69b684bdc769869106fda2d2d4c7f84ae
SHA256 81302fe552ff4feceee2be126b8d051716096b7842956ccd4a0cc9dbdd26b6f6
SHA512 5223c0833b719a0d0e5316334b7b69c2d580c98730032dbc1b4c278bd4ec11bc7bb69a697e409a6c011d1d37682996b52704eedb02034c4e3ca4e457631d15bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d32cc40dfb89de0dab11c8753b1a4ec2
SHA1 cad7fb18049b2d526755dec23c7bd60301193bf5
SHA256 dd2ba223314a858b87c29306abd92a52a932e2093f45148630c5ae75db24da8a
SHA512 05264985a47a1a065a1223b13483b27dfebe5114de90f9cbdc8e87e13b54b96b241bf928804e4a059d25cfef31d456d1a89e990ac89929f39057cda86939e7dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d212fd42f2555187aa5a88e5699db3bb
SHA1 4d4ec6f1038f5de4f0709de8a41b3a23e9637b99
SHA256 1489558343a2c93e05f6c094e0e73b6d4170ef1d13402d0dff7953e00ac86735
SHA512 e812c567efbd3a97a94547fdeb7cfe72525acff789a18735b20271adc139189c35d6f229df5923083f8a7200b197c7ea82e77f1f29dffadb86270281472e8c68

C:\Users\Admin\Downloads\Unconfirmed 366305.crdownload

MD5 52311163022dbd17bb80414f3d18c194
SHA1 d6e0a809eda9724f9cd16770da59ef8b50210c8f
SHA256 6ae4f439c7bb84942e3f3f17b7bb3ba48cee214832b28a38b2f29a985b054cc5
SHA512 7e5480c9deb4a2557e2bec87c750efdaf43d80da6657ad7f088ea9ade1cf7d6c866dab2fc6766acd6dfce8f7de9d1564ade11ad5320671fed19895dc2a3be258

C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 83e9bbfd381d0dcaff75745bb3fe2d53
SHA1 b6755a72ddd935a0539928413690314f5c460749
SHA256 a2c05c5343ca0915d5c06b25213db498d2b67aeef9c581db2cbe7c30efe574e2
SHA512 6bbb61c21f7edc9b9c3cd4615db5aa94d1af631da260123cc714e32c9f96a51055b4a91af8fb5433b214238c9adc4cdc56ef0c31aa2c050d9f15d106fb94b8fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c709.TMP

MD5 4de714a5b6a19c476340d5ceb190e9ae
SHA1 d91c50965f583a56fec3b9a7fe63f754acd56d33
SHA256 3518908c842b9caf35571e31c0d7fa1eb73bc61a51e94871e386d6b7f45d81c9
SHA512 478145f7b3375716219958342160a1b0f13643c243c72899f34c221c59c5a237b24839f7855a4e3febae433db060e858fc53fae7af8d4854059ffe19bd89c62d

C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

MD5 d9cb0b4a66458d85470ccf9b3575c0e7
SHA1 1572092be5489725cffbabe2f59eba094ee1d8a1
SHA256 6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05
SHA512 94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6

memory/5808-397-0x00000000741B0000-0x00000000741C6000-memory.dmp

memory/5808-396-0x0000000004E60000-0x0000000004E76000-memory.dmp

memory/5808-399-0x0000000007EF0000-0x0000000008496000-memory.dmp

memory/5808-400-0x0000000007A40000-0x0000000007AD2000-memory.dmp

memory/5808-401-0x00000000057E0000-0x0000000005824000-memory.dmp

memory/5808-402-0x0000000008E70000-0x0000000008F0C000-memory.dmp

memory/5808-403-0x0000000008F10000-0x0000000008F76000-memory.dmp

memory/5808-404-0x00000000094B0000-0x00000000099DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e6744391f9009656e7afe9935bf97dcf
SHA1 0cf93fcd52c1248e9eb63e7705801f043504e4f2
SHA256 6dc033f6c0167f71e9a39a4fb9338f96206775f88ec0741a7f3ce9538d9030bb
SHA512 93e50fc51e95f0782e98c0827857a16e811a7543557422200a5f0b1c75bb0d69acd6ee9870076cd2e95ae70501b5d0285312c6d1327f161cd94a41d663998196

memory/5808-423-0x0000000009460000-0x000000000946A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 54199065126bcf4724de7a6da16a70a5
SHA1 0d92f0b7363eddc51942b0f339e5c5003b647806
SHA256 22110b33eff40e848ab2829a44284b62a60947b222f964052696ddd6f3bfe782
SHA512 044a59ecc0bdbcbd1b74aed5b6772fffc0b9e88b56355b6a6d7c1926bf236e57df81e22815a0308d5752c31c234449b374ffd1d3d5b1ed1999ee36deb8ef15cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4f941c0a225a1f4eef989095d679285f
SHA1 496fcb2b8ceeea5ccdbbadec4854d9cbe2bcfc5f
SHA256 d020cc6f4cd9a25f205d48adc68ce9f218f771c07ad0cb47a5e19ae92a768ad2
SHA512 c5cfeea32d8bb28bbaac6ea29281b0d09171f515c73dbf39581bed15c4614a4f012c4319ccfa893ea169b7276d7a90b965da53c572fb8437caa6cbaed4da59ff

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

MD5 143255618462a577de27286a272584e1
SHA1 efc032a6822bc57bcd0c9662a6a062be45f11acb
SHA256 f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4
SHA512 c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

MD5 dfc5ba68361b2d9dded320a01c0af3c0
SHA1 13f2fc2f2009023b88aa73dba5191c9cf526dd86
SHA256 e13cf3296664d86fb6b52980e86c1964a6001b3b87faeff4d3ae79720594a269
SHA512 9c6e69d3ee97806b75c8e516cecc4f75c355e555430a7d06d9a958ff0804f7835a73cb91a11c0b3aa62d9acfa666ac0c767c554d884336072df31559a3417f3c

memory/6020-495-0x0000027DC14F0000-0x0000027DC14F8000-memory.dmp

memory/6020-496-0x0000027DDC030000-0x0000027DDC558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0tfoqmxj.exe

MD5 92de8e494af4ab73849ee645c31c9bbe
SHA1 e13572c98948f832ddc53819d359f4a318e496d7
SHA256 4b96805eb395b8235ed4c1ffb815ef591af66670ef64e3b9dd5ed11b41846f0d
SHA512 00d34cda1542858bbc32983ac2e5865ba5b886185265e0eda6ae07863d19c6687a6c35e6de78fa282103556ec3120a615f219b985d0ef10731970625570c89b5

C:\Users\Admin\AppData\Local\Temp\nslF950.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\RAVEndPointProtection-installer.exe

MD5 31cb221abd09084bf10c8d6acf976a21
SHA1 1214ac59242841b65eaa5fd78c6bed0c2a909a9b
SHA256 1bbba4dba3eb631909ba4b222d903293f70f7d6e1f2c9f52ae0cfca4e168bd0b
SHA512 502b3acf5306a83cb6c6a917e194ffdce8d3c8985c4488569e59bce02f9562b71e454da53fd4605946d35c344aa4e67667c500ebcd6d1a166f16edbc482ba671

memory/3080-569-0x000001F3FDD90000-0x000001F3FDE18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsStubLib.dll

MD5 98f73ae19c98b734bdbe9dba30e31351
SHA1 9c656eb736d9fd68d3af64f6074f8bf41c7a727e
SHA256 944259d12065d301955931c79a8ae434c3ebccdcbfad5e545bab71765edc9239
SHA512 8ad15ef9897e2ffe83b6d0caf2fac09b4eb36d21768d5350b7e003c63cd19f623024cd73ac651d555e1c48019b94fa7746a6c252cc6b78fdffdab6cb11574a70

memory/3080-571-0x000001F3FFA50000-0x000001F3FFA90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsLogger.dll

MD5 4ece9fa3258b1227842c32f8b82299c0
SHA1 4fdd1a397497e1bff6306f68105c9cecb8041599
SHA256 61e85b501cf8c0f725c5b03c323320e6ee187e84f166d8f9deaf93b2ea6ca0ef
SHA512 a923bce293f8af2f2a34e789d6a2f1419dc4b3d760b46df49561948aa917bb244eda6da933290cd36b22121aad126a23d70de99bb663d4c4055280646ec6c9dd

memory/3080-573-0x000001F3FE270000-0x000001F3FE2A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsJSON.dll

MD5 afd0aa2d81db53a742083b0295ae6c63
SHA1 840809a937851e5199f28a6e2d433bca08f18a4f
SHA256 1b55a9dd09b1cd51a6b1d971d1551233fa2d932bdea793d0743616a4f3edb257
SHA512 405e0cbcfff6203ea1224a81fb40bbefa65db59a08baa1b4f3f771240c33416c906a87566a996707ae32e75512abe470aec25820682f0bcf58ccc087a14699ec

memory/3080-575-0x000001F3FFA90000-0x000001F3FFACA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsAtom.dll

MD5 16d9a46099809ac76ef74a007cf5e720
SHA1 e4870bf8cef67a09103385b03072f41145baf458
SHA256 58fec0c60d25f836d17e346b07d14038617ae55a5a13adfca13e2937065958f6
SHA512 10247771c77057fa82c1c2dc4d6dfb0f2ab7680cd006dbfa0f9fb93986d2bb37a7f981676cea35aca5068c183c16334f482555f22c9d5a5223d032d5c84b04f2

memory/3080-577-0x000001F3FFAD0000-0x000001F3FFAFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\uninstall.ico

MD5 af1c23b1e641e56b3de26f5f643eb7d9
SHA1 6c23deb9b7b0c930533fdbeea0863173d99cf323
SHA256 0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058
SHA512 0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\Microsoft.Win32.TaskScheduler.dll

MD5 192d235d98d88bab41eed2a90a2e1942
SHA1 2c92c1c607ba0ca5ad4b2636ea0deb276dcc2266
SHA256 c9e3f36781204ed13c0adad839146878b190feb07df41f57693b99ca0a3924e3
SHA512 d469b0862af8c92f16e8e96c6454398800f22aac37951252f942f044e2efbfd799a375f13278167b48f6f792d6a3034afeace4a94e0b522f45ea5d6ff286a270

memory/3080-582-0x000001F3FFCF0000-0x000001F3FFD48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\rsSyncSvc.exe

MD5 3068531529196a5f3c9cb369b8a6a37f
SHA1 2c2b725964ca47f4d627cf323613538ca1da94d2
SHA256 688533610facdd062f37ff95b0fd7d75235c76901c543c4f708cfaa1850d6fac
SHA512 7f2d29a46832a9a9634a7f58e2263c9ec74c42cba60ee12b5bb3654ea9cc5ec8ca28b930ba68f238891cb02cf44f3d7ad600bca04b5f6389387233601f7276ef

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

MD5 58b8915d4281db10762af30eaf315c9e
SHA1 1e8b10818226fa29bfa5cdd8c2595ba080b72a71
SHA256 c19df49f177f0fecf2d406ef7801a8d0e5641cb8a38b7b859cbf118cb5d0684e
SHA512 49247941a77f26ab599f948c66df21b6439e86d08652caa9b52ffbcefd80a8c685d75c8088361c98dde44936e44746c961f1828a5b9909fecd6ce9e7e6d2f794

C:\Program Files\McAfee\Temp1407560885\installer.exe

MD5 b2b02a72e98408c9e0ebd5036bd7a092
SHA1 6d95b41ee0b8d6445e8d52048b4013afaf78109c
SHA256 b2c1ad8af3439bc7458130400bd213dd3db5aee8f49e295027c97b11dbe6bf58
SHA512 b74afa38d91f41b0ffd445999905d6a2f2a88bd796b0ced6c55db10de62c7ee468cc27e94f701bca59cfa6819b22869ce33193446cec0db69eccec1dfe85654f

C:\Users\Admin\AppData\Local\Temp\mwa1737.tmp

MD5 662de59677aecac08c7f75f978c399da
SHA1 1f85d6be1fa846e4bc90f7a29540466cf3422d24
SHA256 1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb
SHA512 e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

C:\Program Files\McAfee\Temp1407560885\analyticsmanager.cab

MD5 dc4e5a62f9c5b04c8d3d20db961371f5
SHA1 12fb6ac6d3722a8bce60f77ca808e5959de95e02
SHA256 f43f800d8d85d7c5af3bbfa5b2ea13d183be8e8ad57f7a7fa4475bf603a693e9
SHA512 c684d5c877045855df3ceffa525dffbc53d55b3559d1dca19e10c586f2db7085cb395a6f933eccf8f2248e6338dcbad294b54014f1befb6b2534879413aa3531

C:\Program Files\McAfee\Temp1407560885\browserhost.cab

MD5 ef297ee03d8ea0240a1821bcaccc1bb1
SHA1 01825ee74143242054e399d7dcd89c1e2edb692e
SHA256 b0004747c1da4ee30f93065bddda1e471338f07024d06e912cdf281333f7a0f3
SHA512 ac13a462e29b015990e2511eec9d8a3b6e224666b815a746294039296832a2699ea0f666b1a41efbe84fe145f213df297624ca69fec5f41533c247c289d3cb8d

memory/5128-838-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-837-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-836-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-835-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

C:\Program Files\McAfee\Temp1407560885\analyticstelemetry.cab

MD5 1d8f7c95a72a600b371e819b678be0f0
SHA1 7d544961dee72463f43afe8fdadd7a5bbb14a75f
SHA256 27f810a794170a97e430dc29a26169dec6bcea373ee000785ac089cac058770a
SHA512 95987dd1f3e2de393c9f5c201b89fe4a24d6581d7a036ad5124d5d9ccb9df76ada28dff504f87bb6abcb1b1d7a4832fb57e4204e6e5c9a882bfc823e7f3189a3

C:\Program Files\McAfee\Temp1407560885\browserplugin.cab

MD5 3afc7a2ed10d7804ee588a669a154ab2
SHA1 b5cc1d0eb51e389fd5c49a0ff354ca576e402f7d
SHA256 f7f7c0fabe6d53a3e09aeb38648302523cdae1efb427205661c5567257156313
SHA512 b3d4770cb4f9c7ca98f2d655dc7bfeac06e49cabf6934a043c92e9b8959994cae55006190e88f9684dd747e26a060de80c38b922a15a0f03d0325f2915f23c34

memory/5128-841-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

C:\Program Files\McAfee\Temp1407560885\downloadscan.cab

MD5 830597a39c23a1d6234ef1eb5f9476e2
SHA1 ebb05cfb80da8a6d95b4123833f6b7f0c9230328
SHA256 dce5dc71a095b82388b5945ddbdfed67a25686df0e89a3ef64681eb6a85743da
SHA512 7aa363ffbb13cbf35db4da3ca5c56588cab5737b8eacea273ba0f94c7014c849f0f080b6fdfa7a72d4981af6f4fc3aec9c5b173e0a744c9b28cd597b8c7784ed

C:\Program Files\McAfee\Temp1407560885\eventmanager.cab

MD5 4d640a7698ce8a63be145717d1384bb7
SHA1 2aba5a5d24b66cb49da317311b8a531f993a170f
SHA256 de0b3de2af79a643e4b7712563a486786f470574792ab2e655aeeb20686ac116
SHA512 f268c6cf2c638ca16aafa26c2da8cf7822c0ff2415d56df31ea91a2d79380012ef388e7a67be508c4f5f5a2f6d54e3c4ca3ee26ee7c4aeb576c69fffc49be25b

C:\Program Files\McAfee\Temp1407560885\l10n.cab

MD5 5ccc4c0645e5c35756c7a2e8bd6368f1
SHA1 8fb2662037c528993ea3ed80c6384f7b2cfafbff
SHA256 3e3df2de1e9122e6f0c556e1fd557829a6f05c1d95e56ebfe7f25865825157c7
SHA512 63da51cf8beb96f7fa3d27bd62e6655870c8e193809848450ccdd36dd28765e240279af744a54c586431e28cc02312c00ba439a205fe8725059927a3a316157e

memory/5128-850-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-852-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-855-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-856-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-857-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-854-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-873-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-896-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-937-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-1090-0x00007FF705250000-0x00007FF705260000-memory.dmp

memory/5128-1089-0x00007FF705250000-0x00007FF705260000-memory.dmp

memory/5128-1138-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1131-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1079-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1073-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1071-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1064-0x00007FF7468A0000-0x00007FF7468B0000-memory.dmp

memory/5128-1052-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1041-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1039-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1037-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1026-0x00007FF7122C0000-0x00007FF7122D0000-memory.dmp

memory/5128-1024-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1023-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-1020-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-990-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-988-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-982-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-978-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-971-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-968-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-961-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-957-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-944-0x00007FF744F40000-0x00007FF744F50000-memory.dmp

memory/5128-874-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-925-0x00007FF77F660000-0x00007FF77F670000-memory.dmp

memory/5128-923-0x00007FF77F660000-0x00007FF77F670000-memory.dmp

memory/5128-918-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-916-0x00007FF70DD60000-0x00007FF70DD70000-memory.dmp

memory/5128-880-0x00007FF76E7B0000-0x00007FF76E7C0000-memory.dmp

memory/5128-871-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-870-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-869-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-868-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-867-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-866-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-865-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-864-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-863-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-862-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-861-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-860-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-859-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-872-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-858-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-853-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-851-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-848-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

memory/5128-846-0x00007FF711A80000-0x00007FF711A90000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 e27ab22add94519650aa7e5124afe1b7
SHA1 1f21f96f7b9531f8ac4caa77d6996b0c99bb54c5
SHA256 600eae68efc5eff4c9ebe0b0be2f2501110d9ccc83ef080df0aa995c02c86231
SHA512 0f470144d0cf0303dd2d1e3c497cff2dd69c07c60d76d5a603fea2312b57557ab1c54fccacf03227a18217eea50c38ce0078e07750a2e6696f648103185644da

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 44ec7dd32a7d188d912aa8cce5b762f0
SHA1 7bd9a6f2fa778cf6d05f912910068f656a45dc47
SHA256 20b34766bc0db3e29570e87ea2c30a979ed51d46243cf17e1fe3c258b5cd79c4
SHA512 69f3c8493e8be2fede1c1584dc98fd27da1de9965dfcf9fd8c907d9c25c19899f36c83b8558c1eda94e798e051c5755148ef76185810675389e5b39a53ac0b63

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 f7638f5b613517acc073ac59a484ce28
SHA1 6d71dd3ad384f26ccc6dfa13a5bbc8474aca53b7
SHA256 11015feb4736920f83dd594ded08aded534d638b2908a9afd779a35bf8fadc52
SHA512 f9ff2142f032f3b9e21eafc20ce8a88e64ea8665cc76a7eff5c24150a300f2883f6827aa91c7aee37d3359d8a159e537c553df11cabd048a1c4c8a03e54c7928

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 8b7c62ce75e4e301677ad4d127625d3e
SHA1 fa6978fa60540be4aeb7b3a35a93039be99d24ea
SHA256 a26fb9250d98e1da577e4f39c50d1faf37efff7d58c6404624e007e889031765
SHA512 e621a25d8562c28821d06496eedd4fb077f6b80b73c15ea3bf63e48ba1c661d44cabbe8ed7433be4cd527497f79cfb9437cb04ac7ac1e35b2a2185d88cacb4b6

C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

MD5 6f97cb1b2d3fcf88513e2c349232216a
SHA1 846110d3bf8b8d7a720f646435909ef80bbcaa0c
SHA256 6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272
SHA512 2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 1fb4f7d7febe7f1b57e571d95ba9c1a7
SHA1 6d159853870f202ad9f795e0541349d7905952a6
SHA256 7b364a1bd9477e7d8a6d1117c5b0a7a3708a948fbbb257c1411e2dd0dfd02866
SHA512 37b11251efc955bf85ae4addf8d7f07da5685aa1bdf8ea65e395b99f982df813195919e2f54e3b7e9e8c541bae11e3cb4b44fe6fa13b16c5a50a164c20269f15

C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

MD5 555033ada2832dbb1fe7c44beaf9851e
SHA1 5d58f893215b1a776a02ec19cc5fe3c35f59ef42
SHA256 24b19c67ff6b6492e76cb525b88489f93c5fe4e6910d146b0bc9d0a7dc890e2c
SHA512 7b50527d69e411aea832711f51d29da84a05a51d6ab4b5f4e754be565bb9bd41ef08051ea366e8d6061abc26abb1377775b29ce63876bf788b6b19b9a2eb3063

C:\Program Files\ReasonLabs\EPP\mc.dll

MD5 84595dac668b842a044a3045e2245627
SHA1 f9eb2f8c19b28743e095ac3cd510d8b85e909c20
SHA256 747ccb6d77d99aeb867b08b92e9804ae222f1809d767359f8535adf8f5e03e5b
SHA512 8564bd487e002f300c636936fc26d8019135a43ae71797424c9ec161c466346a24dd420339c628dc7566b67cc0c64d93f055061700aaf1c62a1db56bc0e7ea27

C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

MD5 4886ebd59ff6473e5953f1c0500fbb3e
SHA1 1be2d630be3d2662665bd79c92fbbc5d75327335
SHA256 55afb6b03acf5666b639952ea09318f2431dda0e2e7486d50c2be49be848c02d
SHA512 b0c4faf8b10162a175da075cca7e5ca179de62704b27464f1855a73dbf6a545050f828c1ca47148b6e31574d52fcdaaf86374771ef35619406552a81b9ffbd67

C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

MD5 0678a30cb21fd2f510d570ded7ff1641
SHA1 a25625e520e5a39ce0e536096f75edbcdd49ddab
SHA256 345442b06ec29a461ad61bb35e13d7c8d87ee136b9ad172f12b17b2a9da7c69b
SHA512 7de35b4861a1ce05b34244773644b9f8039a0e2795432007762c0149978d1917d4007e79df793faaece4106cf6de7f991d753749529ec1753a92d122c63f6696

memory/3080-3251-0x000001F398E00000-0x000001F398E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\08ba0673\8ff6af8e_82afda01\rsJSON.DLL

MD5 a10d8940e7153cf5bdec83f51481b48a
SHA1 98915a7da3e830eb9a081393a6477d3d5c6722f3
SHA256 6d6c8530e2d203a7dd838ddffe1ab1a21919a78608e26c80f9cf781c16c1cb83
SHA512 954ae7972b625307e0b123ac35a722d82453c012938f1667fb867639a23a89a3e8e9daca1a7ab0fe906886bf11d2b2c0535eaa663f0b2850412d19202ffcc15f

memory/3080-4875-0x000001F3FFC80000-0x000001F3FFCBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\4d0936d8\8ff6af8e_82afda01\rsLogger.DLL

MD5 572db1ac3da7e1de6d7df097ca616967
SHA1 aab90fe5b4f4f299035dbbab8ab5195c434264b2
SHA256 e2321f6c4f330c2856f047f713143d1e777a6bae47858d92f2861f9f64cda521
SHA512 07ce10821cc26345450b63af39b6288b58d113604fe837c3c4eaa4f062c6756b0f4f0dbae02e621b57fdf60b7412f42cc20cbfc55e1a40c6943eff543acc9037

memory/3080-4888-0x000001F3FFC80000-0x000001F3FFCB0000-memory.dmp

memory/3080-4900-0x000001F3FFC80000-0x000001F3FFCAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\08870090\ce31ab8e_82afda01\rsAtom.DLL

MD5 c0e115eb5bc2449ca73cd370bcb66ac9
SHA1 7a6ae7f6c00aeeb9a3aef8d8971c2cf20e08a6b6
SHA256 31913b02f7ca4eac19e335f2db7915998db7138c8cda17fd0a162a43ca62818b
SHA512 1ce8c5ce6ddcbde306de1c1e138359a9abc0b1a56dc61146a66ce49285c5e624ae0a24ac9d6d0f7cbec3c8e67b1eaefc1c36eca21a56ef571f818762e9762ea7

C:\Users\Admin\AppData\Local\Temp\nslF951.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\6646d707\3d59b28e_82afda01\rsServiceController.DLL

MD5 3d83a836aec36f388628c88589f78d4b
SHA1 9d567d79a58f14e51ff1919379a8d9e218ffcb5a
SHA256 bf1e77211fe2a32efc6ef1833ffd23f3e720e6ecd363fa5f7199a4c863d41b70
SHA512 01892e60e44697af7f2988dc6cb0ee8b6b1f0b95374cf55a331dd92a6e856b4cb41f173c00c2519fdc20190dbc5b54342f65a2db0da45ae9e44c4b5075fbd610

memory/3080-4913-0x000001F3FFDF0000-0x000001F3FFE1E000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsEngine.config

MD5 9ac767636384aefbe78cf0287a6a4873
SHA1 aa707666cc97b654c3001c57b39d45950e253fd9
SHA256 b34c5a5f66a49de1ab02487e15ab6d0a667244f2aea3f95afdc7a5ed1c1d735c
SHA512 ed9114ec6dab10067a6e9d326658bfe567d7d07bb95c514f428813d3a9512225edf5ed9de773114c231535c3761a84ecf15e97d082b97e690eabf4134f8f689b

C:\Windows\Logs\DISM\dism.log

MD5 96267132253daade8e3040426da7007e
SHA1 480d89f28b33cebe634dfa959b03fd28d8dc1a33
SHA256 24c696b4fcc62fae4a4e88c6f1500ec800ed37baec6bd671e1a11044ddcac729
SHA512 c3062e8ed5b3342cac6c5a46114a262652001efa00a68dd938b4421aa7253a5d53485cba122c35a6f3b31efd5e3fbb5cfb928523b5396f7cba87c5bb588f83d4

C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

MD5 8129c96d6ebdaebbe771ee034555bf8f
SHA1 9b41fb541a273086d3eef0ba4149f88022efbaff
SHA256 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51
SHA512 ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

memory/9372-5140-0x000001D7805D0000-0x000001D7805FE000-memory.dmp

memory/9372-5141-0x000001D7805D0000-0x000001D7805FE000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 b2ec2559e28da042f6baa8d4c4822ad5
SHA1 3bda8d045c2f8a6daeb7b59bf52295d5107bf819
SHA256 115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3
SHA512 11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

memory/9372-5155-0x000001D782270000-0x000001D7822AC000-memory.dmp

memory/9372-5154-0x000001D782210000-0x000001D782222000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 43fbbd79c6a85b1dfb782c199ff1f0e7
SHA1 cad46a3de56cd064e32b79c07ced5abec6bc1543
SHA256 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0
SHA512 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

memory/8640-5341-0x00000234197E0000-0x0000023419B46000-memory.dmp

memory/8640-5342-0x00000234195F0000-0x000002341976C000-memory.dmp

memory/8640-5344-0x0000023400C20000-0x0000023400C42000-memory.dmp

memory/8640-5343-0x0000023400BF0000-0x0000023400C0A000-memory.dmp

memory/9700-5346-0x0000000005410000-0x0000000005446000-memory.dmp

memory/9700-5347-0x0000000005C30000-0x000000000625A000-memory.dmp

memory/9700-5348-0x0000000005AE0000-0x0000000005B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qn5dadnq.s4n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/9700-5354-0x0000000005B90000-0x0000000005BF6000-memory.dmp

memory/9700-5358-0x0000000006340000-0x0000000006697000-memory.dmp

memory/9700-5364-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/9700-5365-0x00000000067B0000-0x00000000067FC000-memory.dmp

memory/9700-5366-0x0000000007740000-0x0000000007774000-memory.dmp

memory/9700-5367-0x000000006E8A0000-0x000000006E8EC000-memory.dmp

memory/9700-5376-0x0000000006D70000-0x0000000006D8E000-memory.dmp

memory/9700-5377-0x0000000007990000-0x0000000007A34000-memory.dmp

memory/9700-5379-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

memory/9700-5378-0x0000000008110000-0x000000000878A000-memory.dmp

memory/9700-5380-0x0000000007B40000-0x0000000007B4A000-memory.dmp

memory/9700-5381-0x0000000007D50000-0x0000000007DE6000-memory.dmp

memory/9700-5382-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

memory/9700-5383-0x0000000007D10000-0x0000000007D1E000-memory.dmp

memory/9700-5384-0x0000000007DF0000-0x0000000007E0A000-memory.dmp