Analysis Overview
score
8/10
SHA256
1f5cc5c2211c48f57acf7d4113a487fbbd74a423303102821c913139d7ff782a
Threat Level: Likely malicious
The file LDPlayer9_fr_com.candya.iinfoappfree_8110_ld.exe was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Possible privilege escalation attempt
Reads user/profile data of web browsers
Modifies file permissions
Downloads MZ/PE file
Checks computer location settings
Checks installed software on the system
Launches sc.exe
Registers COM server for autorun
Executes dropped EXE
Drops file in Program Files directory
Loads dropped DLL
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-28 17:13
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 17:13
Reported
2024-05-28 17:16
Platform
win10v2004-20240226-en
Max time kernel
164s
Max time network
210s
Command Line
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_fr_com.candya.iinfoappfree_8110_ld.exe"
Signatures
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLREMOVESIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-sstoast-toggle.css | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\browsernavigate.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\core\priorityqueue.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-cs-CZ.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-it-IT.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-zh-CN.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-ja-JP.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\installedextensions.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp3318692942\jslang\wa-res-install-es-ES.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-pl-PL.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-ja-JP.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-es-ES.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-ko-KR.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-overlay-ui.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\wa-ui-checklist.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\logicmodule.dll | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-oem-ss-toast-variants-step2.png | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-es-ES.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\simplewmiquery.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-pt-BR.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-sr-Latn-CS.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-ko-KR.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\sendimmediately.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-es-MX.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-nl-NL.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-pt-PT.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\events\sendonping.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\config_manager.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\emitter.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-el-GR.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\mwb\wa-controller-mwb-checklist.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-pl-PL.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-zh-CN.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ch-store-overlay-ui.html | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-sr-Latn-CS.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\msspstatus.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\events\formatters\eventformatter_json.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp3318692942\jslang\wa-res-install-sr-Latn-CS.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-pl-PL.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\events\telemetryconfig.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\survey.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\osflavour.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\wssanalyticsraw.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\webadvisor.mcafee.chrome.extension.json | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-hu-HU.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-fr-FR.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\new-tab-overlay.html | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Webadvisor\Analytics\transport_aws_apigateway_v1.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-de-DE.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\score\pscore_vertical_header.png | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-fi-FI.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-sv-SE.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\score-toast-ui\wa-score-toast-increase.css | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\wssanalytics.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\uninstall.ico | C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\RAVEndPointProtection-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\servicehost.exe | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\featuretrackingfeature.luc | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Webadvisor\Analytics\event_handler.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-hr-HR.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-hu-HU.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\mwb\stop-video-alert-icon.png | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-nb-NO.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-pt-BR.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-it-IT.js | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5o5j0jnb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\RAVEndPointProtection-installer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| N/A | N/A | C:\Program Files\McAfee\Temp3318692942\installer.exe | N/A |
| N/A | N/A | C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe | N/A |
| N/A | N/A | C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe | N/A |
| N/A | N/A | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\Program Files\McAfee\WebAdvisor\UIHost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046} | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046} | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046} | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046} | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046} | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046} | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_fr_com.candya.iinfoappfree_8110_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_fr_com.candya.iinfoappfree_8110_ld.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=dd7d433d869aa9862cdf0ae5eb9ab29544b8a53d&dit=20240528171489149&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=8110 -language=fr -path="C:\LDPlayer\LDPlayer9\"
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
C:\Users\Admin\AppData\Local\Temp\5o5j0jnb.exe
"C:\Users\Admin\AppData\Local\Temp\5o5j0jnb.exe" /silent
C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\5o5j0jnb.exe" /silent
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
C:\Program Files\McAfee\Temp3318692942\installer.exe
"C:\Program Files\McAfee\Temp3318692942\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=524336
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
C:\Users\Admin\AppData\Local\Temp\181841A7-5DE7-4A28-8859-51A587B8D0F8\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\181841A7-5DE7-4A28-8859-51A587B8D0F8\dismhost.exe {4FC01074-C0E6-47A4-BEE6-82867721A2A7}
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| GB | 3.162.20.11:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | 11.20.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.159.165.18.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | d3n1ms4uhtqgov.cloudfront.net | udp |
| US | 8.8.8.8:53 | 49.4.219.8.in-addr.arpa | udp |
| GB | 3.162.19.94:443 | d3n1ms4uhtqgov.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 94.19.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d1arl2thrafelv.cloudfront.net | udp |
| GB | 18.172.99.65:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 65.99.172.18.in-addr.arpa | udp |
| GB | 18.172.99.65:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d1arl2thrafelv.cloudfront.net | udp |
| US | 8.8.8.8:53 | shield.reasonsecurity.com | udp |
| GB | 18.172.99.149:443 | d1arl2thrafelv.cloudfront.net | tcp |
| GB | 18.165.160.99:443 | shield.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 149.99.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.160.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| GB | 18.165.160.99:443 | shield.reasonsecurity.com | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | analytics.apis.mcafee.com | udp |
| US | 52.27.249.186:443 | analytics.apis.mcafee.com | tcp |
| US | 8.8.8.8:53 | 186.249.27.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.48.219.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sadownload.mcafee.com | udp |
| GB | 104.91.71.133:443 | sadownload.mcafee.com | tcp |
| US | 8.8.8.8:53 | 133.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| FR | 142.250.75.238:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | track.analytics-data.io | udp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | 58.16.194.34.in-addr.arpa | udp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | home.mcafee.com | udp |
| BE | 104.68.84.174:443 | home.mcafee.com | tcp |
| US | 52.27.249.186:443 | analytics.apis.mcafee.com | tcp |
| US | 8.8.8.8:53 | 174.84.68.104.in-addr.arpa | udp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | sadownload.mcafee.com | udp |
| GB | 104.91.71.133:443 | sadownload.mcafee.com | tcp |
| US | 8.8.8.8:53 | analytics.apis.mcafee.com | udp |
| US | 35.83.125.109:443 | analytics.apis.mcafee.com | tcp |
| US | 8.8.8.8:53 | 109.125.83.35.in-addr.arpa | udp |
| US | 35.83.125.109:443 | analytics.apis.mcafee.com | tcp |
| US | 8.8.8.8:53 | update.reasonsecurity.com | udp |
| GB | 3.162.20.105:443 | update.reasonsecurity.com | tcp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | electron-shell.reasonsecurity.com | udp |
| US | 8.8.8.8:53 | 105.20.162.3.in-addr.arpa | udp |
| GB | 3.162.20.88:443 | electron-shell.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 88.20.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sadownload.mcafee.com | udp |
| GB | 104.91.71.143:443 | sadownload.mcafee.com | tcp |
| US | 8.8.8.8:53 | 143.71.91.104.in-addr.arpa | udp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | cdn.reasonsecurity.com | udp |
| US | 34.194.16.58:443 | track.analytics-data.io | tcp |
| GB | 3.162.20.85:443 | cdn.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 85.20.162.3.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | 7d5d3e2fcfa5ff53f5ae075ed4327b18 |
| SHA1 | 3905104d8f7ba88b3b34f4997f3948b3183953f6 |
| SHA256 | e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4 |
| SHA512 | e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589 |
memory/4832-12-0x00000000061B0000-0x00000000061C0000-memory.dmp
memory/4832-13-0x00000000732DE000-0x00000000732DF000-memory.dmp
memory/4832-17-0x00000000065F0000-0x0000000006604000-memory.dmp
memory/4832-18-0x0000000073B80000-0x0000000073B94000-memory.dmp
memory/4832-19-0x0000000009960000-0x0000000009F04000-memory.dmp
memory/4832-22-0x0000000009770000-0x0000000009802000-memory.dmp
memory/4832-30-0x000000000A5C0000-0x000000000A604000-memory.dmp
memory/4832-32-0x000000000A740000-0x000000000A7A6000-memory.dmp
memory/4832-31-0x000000000A6A0000-0x000000000A73C000-memory.dmp
memory/4832-33-0x000000000ACE0000-0x000000000B20C000-memory.dmp
memory/4832-34-0x000000000B230000-0x000000000B23A000-memory.dmp
memory/4832-35-0x00000000732D0000-0x0000000073A80000-memory.dmp
memory/4832-36-0x00000000732D0000-0x0000000073A80000-memory.dmp
memory/4832-37-0x00000000061B0000-0x00000000061C0000-memory.dmp
memory/4832-38-0x00000000732DE000-0x00000000732DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
| MD5 | 224cc6a8f0b780f5c3fb7ebb41a19b04 |
| SHA1 | 9a6877bf6448239a6b35e9833f4f9737dcd62491 |
| SHA256 | 46b1853b37af86c4714897e6c88aa818b70c9c500a7adcada6b3bb15c63414e2 |
| SHA512 | b1840a8d430c73e463c518bc3e94e9ee8fc7e57d5b60433fb6016ab05ad49a203984cc5923007f1c08819680af889c9f3254cbab742d2feb9c04eec918087988 |
memory/2116-42-0x00007FF9D4983000-0x00007FF9D4985000-memory.dmp
memory/2116-43-0x0000026283B80000-0x0000026283B88000-memory.dmp
memory/2116-44-0x000002629E780000-0x000002629ECA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
| MD5 | 143255618462a577de27286a272584e1 |
| SHA1 | efc032a6822bc57bcd0c9662a6a062be45f11acb |
| SHA256 | f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4 |
| SHA512 | c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9 |
memory/4832-55-0x00000000732D0000-0x0000000073A80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5o5j0jnb.exe
| MD5 | 38be6f69c58f40b8c9c4ee2e69ed7cd0 |
| SHA1 | 7a71e40643cb40c675185f32fce8838d628481ba |
| SHA256 | 3e237875cb764c2c046ab8370a1f530ad0d8022c30ca348b140f7a1356fa3935 |
| SHA512 | 327bf4da5bb08be362e96cc7ecf732b9972086c4408881df084464e13a711b827c7ab1f1c395ed94d08152dfde1c8b6d9fb856dcc655527b305b6f3fe65b7852 |
C:\Users\Admin\AppData\Local\Temp\nscD307.tmp\System.dll
| MD5 | 192639861e3dc2dc5c08bb8f8c7260d5 |
| SHA1 | 58d30e460609e22fa0098bc27d928b689ef9af78 |
| SHA256 | 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6 |
| SHA512 | 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc |
C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\RAVEndPointProtection-installer.exe
| MD5 | 31cb221abd09084bf10c8d6acf976a21 |
| SHA1 | 1214ac59242841b65eaa5fd78c6bed0c2a909a9b |
| SHA256 | 1bbba4dba3eb631909ba4b222d903293f70f7d6e1f2c9f52ae0cfca4e168bd0b |
| SHA512 | 502b3acf5306a83cb6c6a917e194ffdce8d3c8985c4488569e59bce02f9562b71e454da53fd4605946d35c344aa4e67667c500ebcd6d1a166f16edbc482ba671 |
memory/1616-128-0x00000282492E0000-0x0000028249368000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\rsStubLib.dll
| MD5 | 98f73ae19c98b734bdbe9dba30e31351 |
| SHA1 | 9c656eb736d9fd68d3af64f6074f8bf41c7a727e |
| SHA256 | 944259d12065d301955931c79a8ae434c3ebccdcbfad5e545bab71765edc9239 |
| SHA512 | 8ad15ef9897e2ffe83b6d0caf2fac09b4eb36d21768d5350b7e003c63cd19f623024cd73ac651d555e1c48019b94fa7746a6c252cc6b78fdffdab6cb11574a70 |
memory/1616-130-0x0000028249770000-0x00000282497B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\rsLogger.dll
| MD5 | 4ece9fa3258b1227842c32f8b82299c0 |
| SHA1 | 4fdd1a397497e1bff6306f68105c9cecb8041599 |
| SHA256 | 61e85b501cf8c0f725c5b03c323320e6ee187e84f166d8f9deaf93b2ea6ca0ef |
| SHA512 | a923bce293f8af2f2a34e789d6a2f1419dc4b3d760b46df49561948aa917bb244eda6da933290cd36b22121aad126a23d70de99bb663d4c4055280646ec6c9dd |
memory/1616-133-0x00000282497B0000-0x00000282497E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\rsJSON.dll
| MD5 | afd0aa2d81db53a742083b0295ae6c63 |
| SHA1 | 840809a937851e5199f28a6e2d433bca08f18a4f |
| SHA256 | 1b55a9dd09b1cd51a6b1d971d1551233fa2d932bdea793d0743616a4f3edb257 |
| SHA512 | 405e0cbcfff6203ea1224a81fb40bbefa65db59a08baa1b4f3f771240c33416c906a87566a996707ae32e75512abe470aec25820682f0bcf58ccc087a14699ec |
memory/1616-135-0x0000028263970000-0x00000282639AA000-memory.dmp
memory/4832-139-0x00000000732D0000-0x0000000073A80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
| MD5 | 58b8915d4281db10762af30eaf315c9e |
| SHA1 | 1e8b10818226fa29bfa5cdd8c2595ba080b72a71 |
| SHA256 | c19df49f177f0fecf2d406ef7801a8d0e5641cb8a38b7b859cbf118cb5d0684e |
| SHA512 | 49247941a77f26ab599f948c66df21b6439e86d08652caa9b52ffbcefd80a8c685d75c8088361c98dde44936e44746c961f1828a5b9909fecd6ce9e7e6d2f794 |
memory/1616-210-0x00000282639B0000-0x00000282639DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\rsAtom.dll
| MD5 | 16d9a46099809ac76ef74a007cf5e720 |
| SHA1 | e4870bf8cef67a09103385b03072f41145baf458 |
| SHA256 | 58fec0c60d25f836d17e346b07d14038617ae55a5a13adfca13e2937065958f6 |
| SHA512 | 10247771c77057fa82c1c2dc4d6dfb0f2ab7680cd006dbfa0f9fb93986d2bb37a7f981676cea35aca5068c183c16334f482555f22c9d5a5223d032d5c84b04f2 |
C:\Program Files\McAfee\Temp3318692942\installer.exe
| MD5 | b2b02a72e98408c9e0ebd5036bd7a092 |
| SHA1 | 6d95b41ee0b8d6445e8d52048b4013afaf78109c |
| SHA256 | b2c1ad8af3439bc7458130400bd213dd3db5aee8f49e295027c97b11dbe6bf58 |
| SHA512 | b74afa38d91f41b0ffd445999905d6a2f2a88bd796b0ced6c55db10de62c7ee468cc27e94f701bca59cfa6819b22869ce33193446cec0db69eccec1dfe85654f |
C:\Users\Admin\AppData\Local\Temp\mwa58F.tmp
| MD5 | 662de59677aecac08c7f75f978c399da |
| SHA1 | 1f85d6be1fa846e4bc90f7a29540466cf3422d24 |
| SHA256 | 1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb |
| SHA512 | e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0 |
C:\Program Files\McAfee\Temp3318692942\analyticsmanager.cab
| MD5 | dc4e5a62f9c5b04c8d3d20db961371f5 |
| SHA1 | 12fb6ac6d3722a8bce60f77ca808e5959de95e02 |
| SHA256 | f43f800d8d85d7c5af3bbfa5b2ea13d183be8e8ad57f7a7fa4475bf603a693e9 |
| SHA512 | c684d5c877045855df3ceffa525dffbc53d55b3559d1dca19e10c586f2db7085cb395a6f933eccf8f2248e6338dcbad294b54014f1befb6b2534879413aa3531 |
C:\Program Files\McAfee\Temp3318692942\analyticstelemetry.cab
| MD5 | 1d8f7c95a72a600b371e819b678be0f0 |
| SHA1 | 7d544961dee72463f43afe8fdadd7a5bbb14a75f |
| SHA256 | 27f810a794170a97e430dc29a26169dec6bcea373ee000785ac089cac058770a |
| SHA512 | 95987dd1f3e2de393c9f5c201b89fe4a24d6581d7a036ad5124d5d9ccb9df76ada28dff504f87bb6abcb1b1d7a4832fb57e4204e6e5c9a882bfc823e7f3189a3 |
C:\Program Files\McAfee\Temp3318692942\browserhost.cab
| MD5 | ef297ee03d8ea0240a1821bcaccc1bb1 |
| SHA1 | 01825ee74143242054e399d7dcd89c1e2edb692e |
| SHA256 | b0004747c1da4ee30f93065bddda1e471338f07024d06e912cdf281333f7a0f3 |
| SHA512 | ac13a462e29b015990e2511eec9d8a3b6e224666b815a746294039296832a2699ea0f666b1a41efbe84fe145f213df297624ca69fec5f41533c247c289d3cb8d |
memory/4568-309-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-308-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-307-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\browserplugin.cab
| MD5 | 3afc7a2ed10d7804ee588a669a154ab2 |
| SHA1 | b5cc1d0eb51e389fd5c49a0ff354ca576e402f7d |
| SHA256 | f7f7c0fabe6d53a3e09aeb38648302523cdae1efb427205661c5567257156313 |
| SHA512 | b3d4770cb4f9c7ca98f2d655dc7bfeac06e49cabf6934a043c92e9b8959994cae55006190e88f9684dd747e26a060de80c38b922a15a0f03d0325f2915f23c34 |
memory/4568-311-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\downloadscan.cab
| MD5 | 830597a39c23a1d6234ef1eb5f9476e2 |
| SHA1 | ebb05cfb80da8a6d95b4123833f6b7f0c9230328 |
| SHA256 | dce5dc71a095b82388b5945ddbdfed67a25686df0e89a3ef64681eb6a85743da |
| SHA512 | 7aa363ffbb13cbf35db4da3ca5c56588cab5737b8eacea273ba0f94c7014c849f0f080b6fdfa7a72d4981af6f4fc3aec9c5b173e0a744c9b28cd597b8c7784ed |
memory/4568-306-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\l10n.cab
| MD5 | 5ccc4c0645e5c35756c7a2e8bd6368f1 |
| SHA1 | 8fb2662037c528993ea3ed80c6384f7b2cfafbff |
| SHA256 | 3e3df2de1e9122e6f0c556e1fd557829a6f05c1d95e56ebfe7f25865825157c7 |
| SHA512 | 63da51cf8beb96f7fa3d27bd62e6655870c8e193809848450ccdd36dd28765e240279af744a54c586431e28cc02312c00ba439a205fe8725059927a3a316157e |
memory/4568-316-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\eventmanager.cab
| MD5 | 4d640a7698ce8a63be145717d1384bb7 |
| SHA1 | 2aba5a5d24b66cb49da317311b8a531f993a170f |
| SHA256 | de0b3de2af79a643e4b7712563a486786f470574792ab2e655aeeb20686ac116 |
| SHA512 | f268c6cf2c638ca16aafa26c2da8cf7822c0ff2415d56df31ea91a2d79380012ef388e7a67be508c4f5f5a2f6d54e3c4ca3ee26ee7c4aeb576c69fffc49be25b |
memory/4568-314-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-318-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\logicmodule.cab
| MD5 | 9501b1366feb857135e5d252618c1eee |
| SHA1 | 75c2463c0414bd7a446fae59818b5e09079f1bf0 |
| SHA256 | 2d0ae00abb55e00f80a39a155272839d315f2c874ce597c3b2c49f89e8a34321 |
| SHA512 | 05ddf40cc35a4d087033e9fa60c61e783e254d1d7f826078588a275502ea5f0ad68788213f73e8281262facaabbc80f613215d2a1f876e89948b8835cd0a19f9 |
C:\Program Files\McAfee\Temp3318692942\logicscripts.cab
| MD5 | 3b9b80964bbfecac64f133b8969a7afc |
| SHA1 | 3bcd2415169b348bbc88b23285e71ac898c7c617 |
| SHA256 | 1883bb949ed1f2f180a418b06745168a7123b378339f6bfccaae7a1acbdbfbf6 |
| SHA512 | 8ca928177f69b5238639c5e11dbfdc02fd1d2bd46e3ff72c67f24965cb754c16ff72af730a2e31ccf95390fd41e03c354353bbde68711a7f76fc4b38681136fa |
C:\Program Files\McAfee\Temp3318692942\lookupmanager.cab
| MD5 | ccd008b192ef72a73b1cde8e8da62d9c |
| SHA1 | e907b1f670e0336fdc5085e30447b3accd932a3d |
| SHA256 | 7b6edb3ff653a4e35d46b7df1d38758bdf818de7c11b58960933aa60d0b9906c |
| SHA512 | 089c1ff9947ae2add2700580ca9481bf4dee7b258431bf8d25efb4fe8682ddca4f85956c3037919888c959a9a823889959dfce1f9a1b84938da5359dbbf39aba |
C:\Program Files\McAfee\Temp3318692942\mfw-mwb.cab
| MD5 | 1753f1f1a623519d38631a1ff7237fb2 |
| SHA1 | b3f2e94372d3bdbde8c99593f68d93fd224999ff |
| SHA256 | 83f3e39419cc39af3b448b12ce9223b9f1ab344d5fce9c0bddb8553ef8058cd4 |
| SHA512 | 34a62b1c61ec80c07ef9df669d7de77bd671b801289f8bb2739f57f989281e96513489a90e9a5872ef949ffb559b2036e9ef4afb4d6066921075b0d71ec66bc4 |
C:\Program Files\McAfee\Temp3318692942\mfw-webadvisor.cab
| MD5 | b180379055383f30732d39eb0269c79b |
| SHA1 | 050de5a6a4fd8297e31259f0e99343648d798a5d |
| SHA256 | e53a3fe148a06433db5f6b1c880a47836d7a55cabcc96eeecc1ac82df95f8c90 |
| SHA512 | f8d60ab6c6f266d48cf828ccae7d0b54381e49e8ebe5cef6ef5a74a7158873627f378d7f6fdee6e55ccf516cde1876b442330723590454fd0982315c9755f351 |
memory/4568-334-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\mfw.cab
| MD5 | 6da354da78b5a7c52be22572eb5efc55 |
| SHA1 | 791b010349c7397157a97106b7336f008bcd5eff |
| SHA256 | 638278c1247e614fcdcc34892738a8e43f39c0d8b44848b4debf9021e4888903 |
| SHA512 | 53aac6eae168a28be0ce4181a21633db6b0a64e41673ffb8c0620d901cea59a4bc59476be85da37834ba2fc61019a0e7eb82bd0a4d98da9e3b42a0cfc3924c7f |
C:\Program Files\McAfee\Temp3318692942\resourcedll.cab
| MD5 | 08b4e5d3f3b19bf35be7e71f107c5e18 |
| SHA1 | 64672efa144601751bdcd50f217b15c767a15dfb |
| SHA256 | f39012b54ba8ab45afeb81257fee103d8e96f74eee8abfdad1156dce80f19254 |
| SHA512 | cb28690c7cf4ab22e849a8f3b3fc3e2dddb971f0e51f32516dc6461acdfe03e5b52a9694fb37210a41aa6d26fd61a31478f458fc0b3c23a43aae0c14ba157536 |
C:\Program Files\McAfee\Temp3318692942\servicehost.cab
| MD5 | d2ac362ff38fea03b7b06b8ec47cbed0 |
| SHA1 | 1dfc1d653c753fa0cf03f7277176ff539475d87c |
| SHA256 | 88a6f34ca571ecbcefdb56ca59d1772cc4db96856a67a3f4b00c4f4841919508 |
| SHA512 | 0dc34db6b73a58b10271f273e0cd4da2cb0cd76895debef5e7d7322af4624049fd49adf650e3346e18e32133f28393f8b5c2b67304d2bc7d88becf9bce47c90c |
C:\Program Files\McAfee\Temp3318692942\settingmanager.cab
| MD5 | c0c685dd96b3f9a94a10197e4dfcc851 |
| SHA1 | b8745c84e5a573b7a5349001213229d704579719 |
| SHA256 | 6ed8c980565ef3f3a091e4a8cf314dddca86e38465b62450a9c6ab153811c8e2 |
| SHA512 | 03e1d8835b2845d529ee54487b8fe2abe63c82f28697bdd1115e2f7c40b24c0df8cca93e6b8d58b08e52bb4082f0131940917204ee552c85565ac7b515fbc492 |
C:\Program Files\McAfee\Temp3318692942\taskmanager.cab
| MD5 | 8cf6c31c071ee0b2d40bd3b573412bb2 |
| SHA1 | d35907dc3c0a3dab95e9283ed240f92d9447eaa8 |
| SHA256 | ddccc80534f3a777be411a85e123a1e9e5a027a667099de9eb8079012b15c11d |
| SHA512 | 5b986dfceead00dd4f6feaf1d0c38e20f15148f5e57b1c13647aa788695f4ec082a1838b99c6d104359011bc2546c5ed10e6d3aa9f5bc4ebad5c2776aa11da56 |
C:\Program Files\McAfee\Temp3318692942\telemetry.cab
| MD5 | 93d7bcc823aff1fcb98f1a913dadea1f |
| SHA1 | 01256549663cec9d6eb7e51d1d976111090f829f |
| SHA256 | bf80c0e6f1b2ed8e7f2d72d8f4fda1c6fdb35f60aa75914e8b4867175b981759 |
| SHA512 | cc428ad9705140631a527968c5bef77acc00ed927a13a5433360b6444f4d492514d89d9bb5b68244cfeac8c1757f3c8ed95b0421b404bc3653903d0f6ac7100d |
C:\Program Files\McAfee\Temp3318692942\uihost.cab
| MD5 | 90a174f59ac31acafd2d4df00a661ec4 |
| SHA1 | 483c58d8a0a4164e21cd503a805c42d95e62bc85 |
| SHA256 | 96143a282e06a937a511619cabba7cef75b236b1e0c3e110b41efba47e9f2f9d |
| SHA512 | 77d389628ee12c1c55f591dac3d0a1fc34ab684dbd3302df4796d35a1bbd466d6518dcd1fd48b1ef07f2930e7b81bb2b04ad70b7d6254fa3df2e0b981e2d0f05 |
C:\Program Files\McAfee\Temp3318692942\uimanager.cab
| MD5 | 96e263c704eb690d769c95b1c34d03ea |
| SHA1 | 6902e7c2f81c238a1a19994a2f22231204bac752 |
| SHA256 | d1ccfa367f07a6e271ed67f1f3f8f3936edfb6274d66a80086e9cdbb47931e0c |
| SHA512 | a2e83fbe91c04305bce0eed423c8e0831e4d98c07224aaf59d8feb961f54eced4e569b9bccc751af718e263945a2cde0f3b3294a1a4dd61e6a437a1a7304b80a |
memory/4568-353-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\uninstaller.cab
| MD5 | 2319c2aa297f5fcdd8956458f94d1a1e |
| SHA1 | e0c9a5398274bdbe17163200df8b9200543b4de5 |
| SHA256 | adc108549827342ae93ed7163a61cca1296824b3be54e266dc5c779f8a7a87c0 |
| SHA512 | 6778e179ee471c613947b729f6dec579f6b50640b46336b97bab5ee468371b681885058af4cabf6842294e868a03d72fd6e10b76f181f2defb9e516cfd38716c |
C:\Program Files\McAfee\Temp3318692942\updater.cab
| MD5 | 7b483cbd80605019bc216f9babdee9cf |
| SHA1 | ef89717ff63335bb0689b7aea4acbe512d291cb6 |
| SHA256 | 4939f02ac5bef2bf850dfde34902dc84101125b0ac3cb0ed71b2dcb9459b833e |
| SHA512 | 924c0732fbfbe01df6055973e2005dc084314edc16867b32d9f7356ad24ad3756cc2bd8ffbbd5b50b5553edf285a92c51c33b0682557e66227e89b95d04d3edf |
memory/4568-361-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-333-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\mfw-nps.cab
| MD5 | 006acd223a6f124b6d18dc54e518027d |
| SHA1 | cad740d4f3228ddb9518a0baad6c75dd5765d88b |
| SHA256 | 22ffacd39ac79e89a2b90c4e7a4a7c7cf6d9c2e08e8e3821217770a727278b45 |
| SHA512 | 8a21c1cdb957c1524122e992af6f6919ee915a8602fb63195fe3cf77984cdccbcffa79dea64ff87a8306d88b2bf79c4d18541468f5bfbcadcefb082e6db946b1 |
memory/4568-331-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-329-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/1616-328-0x0000028263A50000-0x0000028263AA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\Microsoft.Win32.TaskScheduler.dll
| MD5 | 192d235d98d88bab41eed2a90a2e1942 |
| SHA1 | 2c92c1c607ba0ca5ad4b2636ea0deb276dcc2266 |
| SHA256 | c9e3f36781204ed13c0adad839146878b190feb07df41f57693b99ca0a3924e3 |
| SHA512 | d469b0862af8c92f16e8e96c6454398800f22aac37951252f942f044e2efbfd799a375f13278167b48f6f792d6a3034afeace4a94e0b522f45ea5d6ff286a270 |
C:\Users\Admin\AppData\Local\Temp\nshD327.tmp\uninstall.ico
| MD5 | af1c23b1e641e56b3de26f5f643eb7d9 |
| SHA1 | 6c23deb9b7b0c930533fdbeea0863173d99cf323 |
| SHA256 | 0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058 |
| SHA512 | 0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4 |
memory/4568-322-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-320-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
C:\Program Files\McAfee\Temp3318692942\wataskmanager.cab
| MD5 | a4dfa367963fd3e46210d3bd0b4102b1 |
| SHA1 | 9dd28c37af5b86c1f20e52933cf9ea47dfe1fc60 |
| SHA256 | f4670f2db3e33f2130b636af2faa495a52532ec304a58014ae2128242aea5047 |
| SHA512 | 339ca24709b5577fd3b20170c6b6e75d80f19408b67fb3188b5b9e1de7a67a5ff2f5eb8002519ba9ca8609aee0b30858fca02cc455c5f4db15f493a3f3ff8f6a |
C:\Program Files\McAfee\Temp3318692942\webadvisor.cab
| MD5 | 354ba45bc1f16f0f644723e2660e3ca0 |
| SHA1 | cdab1b7a3ce71eb13eec62b4cadc1ea5fee6da45 |
| SHA256 | b436cf419f88f409a7d27b43b5932c6e381c5b6a93a323b64051cd7c5ef59ce5 |
| SHA512 | e381fd66dbdc9b5d839b95556d0085d550c2a00ba1fb0430d41ca4bfd14c7dac21eaca57ea393ad7e953940300deb14679e9db7a0fd54f9fe0729a4be009e456 |
C:\Program Files\McAfee\Temp3318692942\wssdep.cab
| MD5 | 784f7df7907c8bbb77cfdec26176b715 |
| SHA1 | cf5792a14c9311e2b98a3122d59178ff536e4c2d |
| SHA256 | 4d49923aaaadf6a7dd4f9c093dbb6878a00363a3e0a18e5bcc54e61175aa8d80 |
| SHA512 | 4e3edadf6939fc8a6fd1acef72460d782397ef7a6e7abce7ca1a17b6e3e7bdda54398091b6be7547333d50b79f2faa08dd02c17a53900a12d3c83e296b5cde2e |
memory/4568-381-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-388-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-389-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-394-0x00007FF79B840000-0x00007FF79B850000-memory.dmp
memory/4568-387-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-386-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-385-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-384-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-383-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-382-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-380-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-379-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-378-0x00007FF782B80000-0x00007FF782B90000-memory.dmp
memory/4568-479-0x00007FF7866A0000-0x00007FF7866B0000-memory.dmp
memory/4568-476-0x00007FF7C2FE0000-0x00007FF7C2FF0000-memory.dmp
memory/4568-457-0x00007FF7B44E0000-0x00007FF7B44F0000-memory.dmp
memory/4568-456-0x00007FF7B44E0000-0x00007FF7B44F0000-memory.dmp
memory/4568-438-0x00007FF7841B0000-0x00007FF7841C0000-memory.dmp
memory/4568-428-0x00007FF758960000-0x00007FF758970000-memory.dmp
memory/4568-415-0x00007FF7B44E0000-0x00007FF7B44F0000-memory.dmp
memory/4568-514-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-499-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-546-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-585-0x00007FF7841B0000-0x00007FF7841C0000-memory.dmp
memory/4568-579-0x00007FF7841B0000-0x00007FF7841C0000-memory.dmp
memory/4568-573-0x00007FF7841B0000-0x00007FF7841C0000-memory.dmp
memory/4568-572-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-568-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-565-0x00007FF7841B0000-0x00007FF7841C0000-memory.dmp
memory/4568-620-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
| MD5 | 3068531529196a5f3c9cb369b8a6a37f |
| SHA1 | 2c2b725964ca47f4d627cf323613538ca1da94d2 |
| SHA256 | 688533610facdd062f37ff95b0fd7d75235c76901c543c4f708cfaa1850d6fac |
| SHA512 | 7f2d29a46832a9a9634a7f58e2263c9ec74c42cba60ee12b5bb3654ea9cc5ec8ca28b930ba68f238891cb02cf44f3d7ad600bca04b5f6389387233601f7276ef |
memory/4568-615-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-613-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-679-0x00007FF7841B0000-0x00007FF7841C0000-memory.dmp
memory/4568-677-0x00007FF7841B0000-0x00007FF7841C0000-memory.dmp
memory/4568-701-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-700-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-698-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-697-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-688-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-685-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-659-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-609-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll
| MD5 | 29d2c8df586879a81d8b4e21c1916a4d |
| SHA1 | 221ee1eb754113636bdacd00a18f9e59661f4ebc |
| SHA256 | ce6d31f4ca28d5ede624fd724e8a99cfb47776391a4339090b1abbbf7a0be4d8 |
| SHA512 | 7cdbc57d37db1468960f871f55e639feee954661e0d159a38eccef6c2270606e32ad49779fe409ede69cae960fcfbc52e309115d7796a27ffae914a256377130 |
memory/4568-603-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-596-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-557-0x00007FF7841B0000-0x00007FF7841C0000-memory.dmp
memory/4568-556-0x00007FF754470000-0x00007FF754480000-memory.dmp
memory/4568-539-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
memory/4568-537-0x00007FF7732D0000-0x00007FF7732E0000-memory.dmp
C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll
| MD5 | b2985f3137a70b3f64fee061ccc5f2fc |
| SHA1 | 6af2342ddc4acbf308d519c5857efe3f3733f55e |
| SHA256 | 2d7698e65aa98eb6bc73bd387b4fe3730f22096907e9d4eda206bf217ba0a7ac |
| SHA512 | 246f33db73132333ef140ccacb3479f38c72698d1bde960b698abc8509600a031fed67554db7b08328fba6da3372e0fcc252b11cfa712448b2b69e0d08f3f660 |
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
| MD5 | af384aa87e3d70f7a687c5c60da2fb7f |
| SHA1 | 32e4154ea9316bf82590e7480ae51283cb6b6e4c |
| SHA256 | 2976c862c9813b309f696f3cc96d516c96aa9b42545888615591d268f23f5762 |
| SHA512 | 1cbb5dc5516d1143d022a1548893a2199491baa4b1327b5aa0398bbe42fd4e7f5e1a484d6a1f15124dff6d5d8bebc728b58442de388f34d1ead78e7ab9f8a852 |
C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll
| MD5 | daeb30acfabe42c4815d04673d167b63 |
| SHA1 | 23ba3e0cf2bca87ab6a984a9d2f846bf5832e1b2 |
| SHA256 | f6bca637d5cf3d5eba4c9b48b6825ebd8a0f324a59b70d756e153b6585666ca7 |
| SHA512 | 5678ce77b1b73eb0fbeb96ca305b411b4ad7b2c4a5ff78370c9f216dbed36386ffe6411328ddbd6476965c7acd89b4bc7c15de9354ee98c5b4f88d9968630440 |
C:\Program Files\McAfee\WebAdvisor\SettingManager.dll
| MD5 | 1dda4e57701e0cccb6110c39c9358a82 |
| SHA1 | 6b94553fb9d5dca7416fe732f5966bd9393dc65c |
| SHA256 | b9233e27bc39d38dd73cfaef09d08eae86969d44c23ba839614d616b19adaa76 |
| SHA512 | 95fbc786cfa33361ae518c170027a8141a8448de751ed8e7b998cfb058025ce4438c9cba2f24f268e6364f63920216cdad24c2cd1759485d1647eeebc9fce496 |
C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll
| MD5 | 86dd7104f29b84681116801719336dec |
| SHA1 | 28493bc9fd3d0a5c8b2f6311f6d061c8286b612c |
| SHA256 | 4f98836c41b72b529c5b14e3001f71a1100772bae5392803176ebcab8fbd6c7b |
| SHA512 | 5179913f8ad2ce23276cbcc387a3789f02f824d59faba1cc8f12780c027a63256fa9a356c0a950b697ef0c2eaccd66f064445fda4952d092617186fc2e7169de |
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
| MD5 | a7b0dabf4a52b6827c35de1e05111ba6 |
| SHA1 | 21065f550492165d5290446e433e0f9cdefaeecd |
| SHA256 | b92f20569bcb06eb12a87d278592af03f564281ad9803eb8ee748eed0c4afbf2 |
| SHA512 | 5c4996df6335d5cf045f09d04ccf2382306ab4ab962dc2ab1889248df00f1470a336724bf137986df7be60e6b5b2417d75e4270b18f3f87fb533a8c1c530ed3d |
memory/2116-1933-0x00007FF9D4983000-0x00007FF9D4985000-memory.dmp
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
| MD5 | 1a0a2e99f233e620c63b0d58c0ed05fe |
| SHA1 | b408a5dc561684c820f813faf2991eab079a03fd |
| SHA256 | 480a50464c1661fd55dacc51ce72419488c886bb181efe0bf33bb46a9846eaf4 |
| SHA512 | 0ccc62a3d01ee55872c09c6abfcd5dafb065cac4646667d39726648e0f90bee73fa0b524011813f539f8bd913063c76021560a0400f3759cbc76a04524f67e58 |
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
| MD5 | 9adbf0b2a7d9ca0782176c646d9c5d34 |
| SHA1 | a6e0d86c368bb7b0c4df442d99427e130071fbf4 |
| SHA256 | 8188e4150ac441b62b9f070649879e96b4ae6a2da4e984241163d87c2fe94185 |
| SHA512 | a48f41374e85119b00278f2fbfede5aadbc62af606225b5ce3bd3e589a320d8316020f11d3045cbe2e58bd9dcba17d0fd427be6bdf8f5a466857a84ceb6a38ed |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 548b4fc7f44d0c4010e639fb653ff8d7 |
| SHA1 | c879c1cb00cf26317c03ed7c1c3ef9456ba11178 |
| SHA256 | 8ed140e231683a2865f23df0a4ac5b9b2c129597e4dcdabf80e8470699690095 |
| SHA512 | 472ed5008ecd493aa11992d85ac10403b586722808ed412f63004521b96701b0e3343ec73327966763d5f5253f169a466eef4d1eea91c17308acd0e89f8c7690 |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 40259d70dd6092eb06e319e1674ff477 |
| SHA1 | a7dd9d96246e6300cb068a9f2e30e407cd5dcda6 |
| SHA256 | 23014542a6390e76f31823c5232379f8384f985de4d0e668d3bf901953911693 |
| SHA512 | 61f3ca2728786146338c1afd9a7639ac95815307db3c1dfda3209f37f6caea13aaab0bd5f7b562b6a157eea419ff001c6dc16cad0d76176f5cca7d9730e49e9f |
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
| MD5 | 305b68aeb7b54f3544735b1a28c79d80 |
| SHA1 | ad863eb13444941e286912d0517a74469eeba986 |
| SHA256 | 078463dcc111931f78007e29ae779bdba5b080d30e24b1d436f6d854b31e74e8 |
| SHA512 | 70848fc3e630969aeedb135c7d606d9911ee4f6f9d6e219c92d11e6ac6d725000bbdf5b88f7ea1e104eeb104a84c0decdf61f5d54f1da92806bef8f7b26e8d5d |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 83215f58ac60fccc04491eac8dd496bb |
| SHA1 | 31e1e57c99ed2c44bc19c28d0c0912c4be8685b7 |
| SHA256 | ca3afe2c4b93ae305e2338a170d6468a9a423fb2b401695b32d2704bbe5158dc |
| SHA512 | ea6e215b5fd54ec54f08f88a613c39f47cc5c2c5cdf480e504748945bfd9bb13ef7d3c1c90e1e1b244f73a18b5bc053f5032f3bf6b2769aa59597472d737bd7e |
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt
| MD5 | 7a9dbc17430b3fc72da51a7b50e74f62 |
| SHA1 | 691dfaac2f4d6b43230db928289feb2c919307e2 |
| SHA256 | ef5c58fb7c1e2e255e527d88b2eb1f9e452752c4c1a75595090f9f7c3f0d812c |
| SHA512 | 049da275884cbe71954cf2e9841a22984dc37c7fffb7ee5aaf6d9fd12d5ce40b581ef7666df3f666826f626b109ff8584cf0471a83836aa592c6b7201431baca |
C:\Windows\Logs\DISM\dism.log
| MD5 | 585a260e11d073aea5e84953945781c5 |
| SHA1 | 437715aa0ba9535576bd8cd4a28cac212d2667c3 |
| SHA256 | 431eea66dcc0a3eafb7a11ba3529fa908f91433a6d8d632a062787145354f758 |
| SHA512 | c4453722a717bcad82d8c17dfdcfc296679b51270754bcded30af433a46a6505f41187b660878947559fa251dce1c64fce869e93eab8c6eca88283331c8b1501 |