Malware Analysis Report

2024-09-11 05:55

Sample ID 240608-savkbsde78
Target LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
SHA256 1f5cc5c2211c48f57acf7d4113a487fbbd74a423303102821c913139d7ff782a
Tags
discovery execution exploit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1f5cc5c2211c48f57acf7d4113a487fbbd74a423303102821c913139d7ff782a

Threat Level: Likely malicious

The file LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution exploit persistence spyware stealer

Possible privilege escalation attempt

Creates new service(s)

Reads user/profile data of web browsers

Modifies file permissions

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Launches sc.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Modifies system certificate store

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
System Services
T1569
Service Execution
T1569.002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-08 14:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 14:55

Reported

2024-06-08 14:58

Platform

win11-20240508-en

Max time kernel

71s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe"

Signatures

Creates new service(s)

persistence execution

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-ko-KR.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-ko-KR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-de-DE.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\lookupmanager.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wa_install_check.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-fr-FR.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\uninstall.ico C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\logicscripts.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-ja-JP.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\browserplugin.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\servicehost.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\mfw.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wa_install_error.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-de-DE.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-es-MX.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\eventmanager.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-pt-PT.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-en-US.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-it-IT.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-nb-NO.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\mfw-nps.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wssdep.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-zh-TW.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-es-ES.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-fi-FI.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\browserhost.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\mcafee_pc_install_icon.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\resourcedll.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\settingmanager.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wa-install.css C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wa_logo2.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-nl-NL.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-es-MX.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File opened for modification C:\Program Files\ReasonLabs\EPP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\mfw-mwb.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-da-DK.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-fi-FI.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wa_install_close.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-hr-HR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wa-core.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-fr-CA.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-zh-CN.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-it-IT.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wa_logo.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-fr-CA.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-zh-CN.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-zh-TW.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-da-DK.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-hr-HR.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\eula-es-ES.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-en-US.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-es-ES.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\mcafeecerts.xml C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\uihost.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-tr-TR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-sk-SK.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-shared-pt-PT.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\wa-utils.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\jslang\wa-res-install-hr-HR.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\icon_failed.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\l10n.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\Temp1825618398\mfw-webadvisor.cab C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
N/A N/A C:\Program Files\McAfee\Temp1825618398\installer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe N/A
N/A N/A C:\Program Files\McAfee\Temp1825618398\installer.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3348 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 3572 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe
PID 3572 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe
PID 3572 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe
PID 1348 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe
PID 1348 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe
PID 4052 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 4052 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 3348 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 3348 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 3348 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 4916 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
PID 4916 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
PID 3352 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe C:\Program Files\McAfee\Temp1825618398\installer.exe
PID 3352 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe C:\Program Files\McAfee\Temp1825618398\installer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayerex.exe /T

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM bugreport.exe /T

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=61e5f7e5b9889a47c8bfdd9f3bb21e04e4d71212&dit=20240608145681950&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i

C:\LDPlayer\LDPlayer9\LDPlayer.exe

"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=25567197 -language=en -path="C:\LDPlayer\LDPlayer9\"

C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe

"C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe" /silent

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe" /silent

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp1825618398\installer.exe

"C:\Program Files\McAfee\Temp1825618398\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\LDPlayer\LDPlayer9\dnrepairer.exe

"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=197148

C:\Windows\SysWOW64\net.exe

"net" start cryptsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start cryptsvc

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Softpub.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Wintrust.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" Initpki.dll /s

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" dssenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" rsaenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" cryptdlg.dll /s

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t

C:\Windows\SysWOW64\dism.exe

C:\Windows\system32\dism.exe /Online /English /Get-Features

C:\Users\Admin\AppData\Local\Temp\E50C4A54-5245-4EEF-97D6-6848BF4AB365\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\E50C4A54-5245-4EEF-97D6-6848BF4AB365\dismhost.exe {3227F6ED-F96D-484E-A4C4-42B0CAA43DAF}

C:\Program Files\McAfee\WebAdvisor\updater.exe

"C:\Program Files\McAfee\WebAdvisor\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" start Ld9BoxSup

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow

C:\LDPlayer\LDPlayer9\driverconfig.exe

"C:\LDPlayer\LDPlayer9\driverconfig.exe"

C:\Windows\SysWOW64\takeown.exe

"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t

C:\LDPlayer\LDPlayer9\dnplayer.exe

"C:\LDPlayer\LDPlayer9\\dnplayer.exe" downloadpackage=com.supercell.brawlstars|package=com.supercell.brawlstars

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004C0

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd272e3cb8,0x7ffd272e3cc8,0x7ffd272e3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd272e3cb8,0x7ffd272e3cc8,0x7ffd272e3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,11416701976590052978,5709319800198636471,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1

Network

Country Destination Domain Proto
FR 13.249.12.102:443 d3n1ms4uhtqgov.cloudfront.net tcp
FR 18.155.128.188:443 d1arl2thrafelv.cloudfront.net tcp
FR 18.155.128.188:443 d1arl2thrafelv.cloudfront.net tcp
US 8.8.8.8:53 188.128.155.18.in-addr.arpa udp
FR 13.249.9.78:443 encdn.ldmnq.com tcp
US 8.8.8.8:53 154.200.245.18.in-addr.arpa udp
US 8.8.8.8:53 90.193.84.52.in-addr.arpa udp
SG 8.219.4.49:443 middledata.ldplayer.net tcp
SG 8.219.4.49:443 middledata.ldplayer.net tcp
FR 52.222.201.79:443 shield.reasonsecurity.com tcp
FR 18.155.128.109:443 d1arl2thrafelv.cloudfront.net tcp
US 52.25.192.230:443 analytics.apis.mcafee.com tcp
FR 52.222.201.79:443 shield.reasonsecurity.com tcp
US 2.22.144.38:443 sadownload.mcafee.com tcp
US 34.235.5.104:443 tcp
US 34.235.5.104:443 tcp
US 34.235.5.104:443 tcp
US 34.235.5.104:443 tcp
US 216.239.36.178:80 www.google-analytics.com tcp
US 18.245.199.108:443 update.reasonsecurity.com tcp
US 34.235.5.104:443 tcp
US 3.165.113.92:443 electron-shell.reasonsecurity.com tcp
US 34.235.5.104:443 tcp
US 2.22.144.38:443 sadownload.mcafee.com tcp
US 52.111.229.19:443 tcp
US 54.160.126.31:443 tcp
US 54.160.126.31:443 tcp
US 52.25.192.230:443 analytics.apis.mcafee.com tcp
BE 104.68.84.174:443 tcp
US 54.160.126.31:443 tcp
US 54.160.126.31:443 tcp
FR 18.244.28.72:443 cdn.reasonsecurity.com tcp
US 54.160.126.31:443 tcp
US 54.160.126.31:443 tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
US 2.22.144.21:443 sadownload.mcafee.com tcp
US 52.25.192.230:443 analytics.apis.mcafee.com tcp
US 52.25.192.230:443 analytics.apis.mcafee.com tcp
US 52.25.192.230:443 analytics.apis.mcafee.com tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
FR 52.222.149.35:443 ad.ldplayer.net tcp
FR 3.162.38.36:443 cdn.ldplayer.net tcp
FR 3.162.38.36:443 cdn.ldplayer.net tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
FR 3.162.38.36:443 cdn.ldplayer.net tcp
FR 3.162.38.36:443 cdn.ldplayer.net tcp
FR 3.162.38.36:443 cdn.ldplayer.net tcp
US 163.181.154.236:443 en.ldplayer.net tcp
US 8.8.8.8:53 236.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 163.181.154.248:443 advertise.ldplayer.net tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
US 163.181.154.241:443 res.ldplayer.net tcp
US 163.181.154.241:443 res.ldplayer.net tcp
US 163.181.154.241:443 res.ldplayer.net tcp
US 163.181.154.248:443 advertise.ldplayer.net tcp
FR 52.222.149.35:443 ad.ldplayer.net tcp
US 163.181.154.241:443 res.ldplayer.net tcp
FR 3.162.38.36:443 cdn.ldplayer.net tcp
US 18.245.199.74:443 alliance.ldplayer.net tcp
US 163.181.154.241:443 res.ldplayer.net tcp
US 163.181.154.241:443 res.ldplayer.net tcp
US 163.181.154.241:443 res.ldplayer.net tcp
FR 13.249.9.78:443 encdn.ldmnq.com tcp
FR 3.162.38.96:80 apien.ldmnq.com tcp
FR 3.162.38.96:443 apien.ldmnq.com tcp
US 163.181.154.241:443 res.ldplayer.net tcp
FR 3.162.38.36:443 cdn.ldplayer.net tcp
FR 3.162.38.96:443 apien.ldmnq.com tcp
US 163.181.154.232:443 www.ldplayer.net tcp
US 163.181.154.232:443 www.ldplayer.net tcp
US 8.8.8.8:53 cmp.setupcmp.com udp
US 172.67.70.36:443 cmp.setupcmp.com tcp
FR 3.162.38.96:443 apien.ldmnq.com tcp
FR 142.250.179.110:443 www.youtube.com tcp
FR 142.250.179.110:443 www.youtube.com udp
FR 172.217.20.214:443 i.ytimg.com tcp
FR 142.250.179.78:443 fundingchoicesmessages.google.com tcp
FR 142.250.179.78:443 fundingchoicesmessages.google.com udp
US 172.67.70.36:443 cmp.setupcmp.com tcp
US 8.8.8.8:53 110.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 214.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 104.18.30.49:443 stpd.cloud tcp
FR 13.249.9.21:443 encdn.ldmnq.com tcp
FR 13.249.9.21:443 encdn.ldmnq.com tcp
FR 13.249.9.21:443 encdn.ldmnq.com tcp
FR 13.249.9.21:443 encdn.ldmnq.com tcp
FR 13.249.9.21:443 encdn.ldmnq.com tcp
FR 13.249.9.21:443 encdn.ldmnq.com tcp
BE 2.17.107.226:80 apps.identrust.com tcp
FR 142.250.178.142:443 apis.google.com tcp
FR 172.217.20.162:443 googleads.g.doubleclick.net tcp
FR 216.58.214.162:443 www.googletagservices.com tcp
FR 142.250.178.142:443 apis.google.com udp
SG 8.219.223.66:443 usersdk.ldmnq.com tcp
FR 142.250.201.162:443 securepubads.g.doubleclick.net tcp
FR 142.250.201.162:443 securepubads.g.doubleclick.net tcp
FR 172.217.20.162:443 googleads.g.doubleclick.net udp
SG 8.219.223.66:443 usersdk.ldmnq.com tcp
FR 3.162.38.67:443 apien.ldplayer.net tcp
FR 99.86.91.84:443 tagan.adlightning.com tcp
FR 142.250.75.230:443 tcp
SG 8.219.223.66:443 usersdk.ldmnq.com tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 18.245.194.122:443 c.amazon-adsystem.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
FR 52.84.174.40:443 config.aps.amazon-adsystem.com tcp
FR 3.162.36.191:443 aax.amazon-adsystem.com tcp
GB 23.49.161.153:443 secure.cdn.fastclick.net tcp
GB 23.49.161.153:443 secure.cdn.fastclick.net tcp
US 104.22.53.173:443 cdn.hadronid.net tcp
US 172.67.38.106:443 cdn.id5-sync.com tcp
FR 18.155.129.21:443 tags.crwdcntrl.net tcp
FR 172.217.20.196:443 www.google.com tcp
FR 142.250.179.106:443 jnn-pa.googleapis.com tcp
FR 142.250.179.106:443 jnn-pa.googleapis.com tcp
FR 172.217.20.193:443 yt3.ggpht.com tcp
US 104.22.5.69:443 id.hadron.ad.gt tcp
IE 52.48.212.10:443 bcp.crwdcntrl.net tcp
FR 142.250.179.106:443 jnn-pa.googleapis.com udp
NL 142.250.27.84:443 accounts.google.com udp
NL 63.215.202.146:443 proc.ad.cpe.dotomi.com tcp
US 8.8.8.8:53 21.129.155.18.in-addr.arpa udp
US 8.8.8.8:53 153.161.49.23.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 193.20.217.172.in-addr.arpa udp
US 104.22.5.69:443 a.ad.gt tcp
FR 172.217.20.174:443 play.google.com tcp
FR 172.217.20.174:443 play.google.com tcp
FR 172.217.20.174:443 play.google.com udp
US 163.181.154.236:443 www.ldplayer.net tcp
N/A 224.0.0.251:5353 udp
GB 2.18.66.51:443 tcp
US 20.189.173.14:443 browser.pipe.aria.microsoft.com tcp
BE 88.221.83.217:443 r.bing.com tcp
BE 88.221.83.217:443 r.bing.com tcp
BE 88.221.83.217:443 r.bing.com tcp
BE 88.221.83.217:443 r.bing.com tcp
BE 88.221.83.217:443 r.bing.com tcp
BE 88.221.83.217:443 r.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

MD5 7d5d3e2fcfa5ff53f5ae075ed4327b18
SHA1 3905104d8f7ba88b3b34f4997f3948b3183953f6
SHA256 e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4
SHA512 e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

memory/3348-12-0x0000000005900000-0x0000000005910000-memory.dmp

memory/3348-13-0x0000000072BEE000-0x0000000072BEF000-memory.dmp

memory/3348-17-0x0000000005280000-0x0000000005294000-memory.dmp

memory/3348-18-0x0000000073550000-0x0000000073564000-memory.dmp

memory/3348-19-0x00000000081F0000-0x0000000008796000-memory.dmp

memory/3348-20-0x0000000007DE0000-0x0000000007E72000-memory.dmp

memory/3348-21-0x0000000009220000-0x0000000009264000-memory.dmp

memory/3348-22-0x0000000009300000-0x000000000939C000-memory.dmp

memory/3348-23-0x00000000093A0000-0x0000000009406000-memory.dmp

memory/3348-24-0x0000000009940000-0x0000000009E6C000-memory.dmp

memory/3348-25-0x0000000008190000-0x000000000819A000-memory.dmp

memory/3348-26-0x0000000072BE0000-0x0000000073391000-memory.dmp

memory/3348-27-0x0000000072BE0000-0x0000000073391000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 cd56e155edf53e5728c46b6c9eb9c413
SHA1 14b1b0f090803c9ee39797aed4af13dc7849566d
SHA256 70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a
SHA512 a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165

memory/3348-46-0x0000000005900000-0x0000000005910000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 3569ff1aa5310102ef02c312ca4dbe9a
SHA1 4124b1e805d5c487bf86182d19ed22bed6cf44ac
SHA256 3ce1168408eb889f65cd4d45c12c58842a4291356c835cfb1877d017b6768a9b
SHA512 c966ebf69abce51aa4fbec1e53f43485786cbeb5fb6cea18eb3407b7d4c7a212a6843b69965de9f577c483c6139840d0f7fe56d69fc8c97e6b0884b75b7aed8d

memory/3348-59-0x0000000072BEE000-0x0000000072BEF000-memory.dmp

memory/3348-60-0x0000000072BE0000-0x0000000073391000-memory.dmp

memory/3348-61-0x0000000072BE0000-0x0000000073391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

MD5 143255618462a577de27286a272584e1
SHA1 efc032a6822bc57bcd0c9662a6a062be45f11acb
SHA256 f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4
SHA512 c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

MD5 a75a8a0f238db66cae9e6ee7c6fa1398
SHA1 df09747c6daa33434370fef19e9cad9b8aa4cefc
SHA256 7eccb9f147fc7aabece846c08fdb799aaa1d52ac06b0dcfbc7b2274109c2fb64
SHA512 d365c2748c2f7ba1b9ca929c4462393de3640f6144bc2624373d18853a16fa126602f271551577e30dbfff47a309b5f244bbebec0cb1d806793eba49d2aace87

memory/3572-75-0x000001C222EA0000-0x000001C222EA8000-memory.dmp

memory/3572-76-0x000001C23D930000-0x000001C23DE58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rh10bi5z.exe

MD5 04b1488ff0fc01bd8db1d11a55761e13
SHA1 7dd000f446be960c9684c70cf5925fd9f9fef58f
SHA256 c409077e4740ce8dd1e72585eeeb34bf9faee6e38a875dbda2a3cd624f6bf0a4
SHA512 892ae7eabed998a0ae1b1e4c2d2781faa41fc75996444308c9df75fbc49fd19d986650f544c1f60d95a0566bf05e5468b9f4d34313ad38308630962d181964ee

C:\Users\Admin\AppData\Local\Temp\nsh3C4A.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\RAVEndPointProtection-installer.exe

MD5 31cb221abd09084bf10c8d6acf976a21
SHA1 1214ac59242841b65eaa5fd78c6bed0c2a909a9b
SHA256 1bbba4dba3eb631909ba4b222d903293f70f7d6e1f2c9f52ae0cfca4e168bd0b
SHA512 502b3acf5306a83cb6c6a917e194ffdce8d3c8985c4488569e59bce02f9562b71e454da53fd4605946d35c344aa4e67667c500ebcd6d1a166f16edbc482ba671

memory/4052-149-0x0000016061930000-0x00000160619B8000-memory.dmp

memory/4052-151-0x00000160635C0000-0x0000016063600000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\rsStubLib.dll

MD5 98f73ae19c98b734bdbe9dba30e31351
SHA1 9c656eb736d9fd68d3af64f6074f8bf41c7a727e
SHA256 944259d12065d301955931c79a8ae434c3ebccdcbfad5e545bab71765edc9239
SHA512 8ad15ef9897e2ffe83b6d0caf2fac09b4eb36d21768d5350b7e003c63cd19f623024cd73ac651d555e1c48019b94fa7746a6c252cc6b78fdffdab6cb11574a70

memory/4052-153-0x000001607BE40000-0x000001607BE70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\rsLogger.dll

MD5 4ece9fa3258b1227842c32f8b82299c0
SHA1 4fdd1a397497e1bff6306f68105c9cecb8041599
SHA256 61e85b501cf8c0f725c5b03c323320e6ee187e84f166d8f9deaf93b2ea6ca0ef
SHA512 a923bce293f8af2f2a34e789d6a2f1419dc4b3d760b46df49561948aa917bb244eda6da933290cd36b22121aad126a23d70de99bb663d4c4055280646ec6c9dd

memory/4052-155-0x000001607C050000-0x000001607C08A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\rsJSON.dll

MD5 afd0aa2d81db53a742083b0295ae6c63
SHA1 840809a937851e5199f28a6e2d433bca08f18a4f
SHA256 1b55a9dd09b1cd51a6b1d971d1551233fa2d932bdea793d0743616a4f3edb257
SHA512 405e0cbcfff6203ea1224a81fb40bbefa65db59a08baa1b4f3f771240c33416c906a87566a996707ae32e75512abe470aec25820682f0bcf58ccc087a14699ec

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\rsAtom.dll

MD5 16d9a46099809ac76ef74a007cf5e720
SHA1 e4870bf8cef67a09103385b03072f41145baf458
SHA256 58fec0c60d25f836d17e346b07d14038617ae55a5a13adfca13e2937065958f6
SHA512 10247771c77057fa82c1c2dc4d6dfb0f2ab7680cd006dbfa0f9fb93986d2bb37a7f981676cea35aca5068c183c16334f482555f22c9d5a5223d032d5c84b04f2

memory/4052-158-0x000001607C090000-0x000001607C0BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\uninstall.ico

MD5 af1c23b1e641e56b3de26f5f643eb7d9
SHA1 6c23deb9b7b0c930533fdbeea0863173d99cf323
SHA256 0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058
SHA512 0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\Microsoft.Win32.TaskScheduler.dll

MD5 192d235d98d88bab41eed2a90a2e1942
SHA1 2c92c1c607ba0ca5ad4b2636ea0deb276dcc2266
SHA256 c9e3f36781204ed13c0adad839146878b190feb07df41f57693b99ca0a3924e3
SHA512 d469b0862af8c92f16e8e96c6454398800f22aac37951252f942f044e2efbfd799a375f13278167b48f6f792d6a3034afeace4a94e0b522f45ea5d6ff286a270

memory/4052-163-0x000001607C120000-0x000001607C178000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\rsSyncSvc.exe

MD5 3068531529196a5f3c9cb369b8a6a37f
SHA1 2c2b725964ca47f4d627cf323613538ca1da94d2
SHA256 688533610facdd062f37ff95b0fd7d75235c76901c543c4f708cfaa1850d6fac
SHA512 7f2d29a46832a9a9634a7f58e2263c9ec74c42cba60ee12b5bb3654ea9cc5ec8ca28b930ba68f238891cb02cf44f3d7ad600bca04b5f6389387233601f7276ef

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

MD5 3322ee3006f2b5724444eeea5ac75438
SHA1 e578ed2501f3d23824938ec94511641c5e81958c
SHA256 738a195c4fc9a88c592adf9e73797ae93a093e8d52132a1157809c965b829b6f
SHA512 fcc238c50a063f5b37b8cfdf24b535583acea705404bfc0657f64b9bd701222a8c93931b10a2edf74018d50b6ef0faf9c982226cc0188cab619e2d5f29789b47

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

MD5 a115e1835d9e2212ceb5d799a2e7bcbf
SHA1 912ef75b5384d79c800da5f231de8db26b35bfb1
SHA256 3cc1d2e8dc239bf5c4ccb79d4afe6434d71fa1dd7a8babf4d685e977bafc472f
SHA512 a70374d98ae74eac59706d3cbbe51ac2f2a8738a0b714819b14d750987411d5dba58675d8cc0f47210099202352a68878d58f5069da5e27e9af239303e0013c5

C:\Program Files\McAfee\Temp1825618398\installer.exe

MD5 93d7052d6af855d8c0f4579c08818bae
SHA1 a7042fbf838d61670299ef801ae0a7c9b6df9cc8
SHA256 943f050e0f42b0ae2281068387e202708e836ed1ead0039ee7f0f4beda29e9bf
SHA512 6db8b86cb459bc3df9d0cbdc104d99d19f7ffdb9fa9b78bfa687bc61fd5caf241b7ab1bf63aad9b15cbdfb02a849006ba65a19ca146722bc3e66fe22b5c767f4

C:\Users\Admin\AppData\Local\Temp\mwa560A.tmp

MD5 662de59677aecac08c7f75f978c399da
SHA1 1f85d6be1fa846e4bc90f7a29540466cf3422d24
SHA256 1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb
SHA512 e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

C:\Program Files\McAfee\Temp1825618398\analyticsmanager.cab

MD5 56b30b0713532ac9fe5bceb69f70a02a
SHA1 12a3907f78c4911128ce9e9bcff69b6860e78f6e
SHA256 daf037707f191d0c63f727d7a28784b27891d83c7876c3b47721440707215277
SHA512 f96b2bc5a57f136cfd9d2d175dcfacee5f0e108e633854182b95d18735df746c006a6bc326b8f4ef2937cc375947ffe86fee1f249d26b1d9645b810a4eb7c81f

C:\Program Files\McAfee\Temp1825618398\analyticstelemetry.cab

MD5 927b558dc0660f74cfb2ea6145a91d8e
SHA1 12a62e3a148c82069e058896c547c2188546cf62
SHA256 b9117db0855d6190a67cfbc65944931dd0d309a3f74344d3daa6634629076abd
SHA512 7f0325d3d8e681b29a6eb273092f821add09154ef956d25d225a40020fa1efe49b642025fa5befc16ddf1b5ff067a951b308722e654bd88be281a7ed9def6888

C:\LDPlayer\LDPlayer9\MSVCP120.dll

MD5 50260b0f19aaa7e37c4082fecef8ff41
SHA1 ce672489b29baa7119881497ed5044b21ad8fe30
SHA256 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA512 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

C:\LDPlayer\LDPlayer9\msvcr120.dll

MD5 50097ec217ce0ebb9b4caa09cd2cd73a
SHA1 8cd3018c4170072464fbcd7cba563df1fc2b884c
SHA256 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512 ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

C:\Program Files\McAfee\Temp1825618398\browserhost.cab

MD5 ca5db1027cd7bb4502b15cf4666407a0
SHA1 5642e539200d0544878beb176375137aca9d0fd2
SHA256 08781d0ecef8526153e4a09fca9d1bf7d6694a2500b54f77c00cab7354a0f353
SHA512 fcdd3496254e61f238baffee146d8aa82850adb7caf88727bf1476fddb092156d9f42336ad884ba001e02bf0a986c9643a82f19856cf96f2ec9c52718f24c5e6

memory/4380-547-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\browserplugin.cab

MD5 49018cd84a146b8a4df1ff11226dd364
SHA1 f4c79253f6186b2cb709d0a1b043b82a7cdec1e2
SHA256 c04e635ec5a8c3434fbdcb250d3e3334d0c0e8590a60d5533854e64a291b605b
SHA512 e4b7145796c34d1128a2876f768b6b97ed7fae98a3d7dc4cdc13e15c5dfdbbd684d3439187de556480af6f5c934df054544519428bed32f741aa509ebbc30df9

memory/4380-549-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-546-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-545-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-544-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\LDPlayer\LDPlayer9\crashreport.dll

MD5 7d2b7e50bf352bcacd36ace10744bb75
SHA1 8e30304a46431422f8f980141f674416e554fc8f
SHA256 14bff3e96d291118952ed06f7f475f882b2c1ecc1eac9823c508c63c02fc9da0
SHA512 deb21e0633c48959ff20e7ab1884230e00f1b97d1e156a41b967521221f2e29412be040ddff649db9e03a5977654df744f1bb974091a7e5cabb2c859bfc869fb

C:\LDPlayer\LDPlayer9\dnrepairer.exe

MD5 894c5d2f7e3e2a5f86f2c56f78863aad
SHA1 cf080f5a08f097fb2eabf05563696cef90835623
SHA256 02b83bb51f9986a5d1c9c6d00242a02b64b80868b330d046d52a86f87a417c54
SHA512 d89f0bd6754e7bb7dde925d55fc2f6bbb6778df59faa2e7974cce5fbff9789ea8f9afd73ff678289055848a113a12d3bdebcc51020ca5c475a990927c79bc9d4

C:\LDPlayer\LDPlayer9\dnrepairer.exe

MD5 36e62f5619f31f4f013c01eeb0fd8971
SHA1 fd1fc87a0f3f77a34df8335982e2eb93aaa9ab7d
SHA256 db84fc8906f56e08c954d897b9cbddf55f6e21bba57aca6452d29778aa029982
SHA512 518b8e8312f6a62839a30e5deb754175a0d1c13a1c485adc596b67911319a739be387ebee674ef27e919af190278104fb8008029df19a99f6f4e95bf63e6786c

C:\LDPlayer\LDPlayer9\dnresource.rcc

MD5 70058f2d60daef1ccc7bbcba210f0ace
SHA1 ef214ade419a724272ac82e9de5233d7c0afa64b
SHA256 43b26f40e04ae6854569a01803541245abffcd130f1345191afd8bf6b0ca7873
SHA512 a0b3ca59ffad882fbff69012023eaa8aadb77d3ff1252562e5480e7dc3c9336afb3c5f58fb435246ec48c758d3c9d17ae9ea8a28f9d4766fad1a4c672cbf9b9a

memory/4380-557-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\l10n.cab

MD5 036d59440166147dabc4b275c1dfefe5
SHA1 58df2a1b943ae105672359b2a1f1d6730b2924dd
SHA256 554e1057acab58ab2eddfdc17b37c341b5aa88981a47cf6435b5738a03c2e056
SHA512 57c06b786240e2ac41fe1559bf157281ea44e32f22c819f30c01b417e2d18e9b5f90de541a417eea2e6c0af7937af15b6881f9de15e6511b765c8a984f14b882

memory/4380-559-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\eventmanager.cab

MD5 b09671a2da98f1d5a2eb9d587c2ffcf0
SHA1 166c453cf9c3af774630fe58de89f6b164e95d44
SHA256 318d6819ed281b15ad9a47ed87ab7afde45c214fca4503609bfdebf13d1f1234
SHA512 0b1e139f946f76c8c480c571d6cf1f630c8f201d9690f1d3cbbefa7e84792e84b73cc043bb638ca5dfd38d47e04dc22f12fcdc08d156cd44f32613bccfc1fe84

C:\Program Files\McAfee\Temp1825618398\downloadscan.cab

MD5 86dc3b04ab10fd34164d17e5068a1a52
SHA1 fd3a9edcc6d41e9ad41ce0da76fe3ecaaadbe3a5
SHA256 fd4a1289c2f121edae77bf376d3b25cc580f2b702914e26bb4c6053af932a1c8
SHA512 5cc4608f4b6d344a30c8b65db4e425e9c25edfbdc2d7a55ef42971293e7c58cf2576e3b394b14dec9574a17fd7131fdb711f058fe6e36239ba7b1fbb1ac40438

C:\Program Files\McAfee\Temp1825618398\logicmodule.cab

MD5 7d568f8cbe26fa442ebe414048a08bea
SHA1 2a1983bfe5e7283b84946cf57e48fece5add366b
SHA256 50fd5f6ef94aea7bf971498f2dcab28dfe13219e3b1f5761a0e59a7686a09778
SHA512 a50e740806d7e0808b6cbd37924f49e7f02ad5ab51a959c6974fa1f90f110ff31643467c1b9d02d4ce9c9dcb622fac35d01133ce042a1a8eb7d2201d81efbc9c

memory/4380-561-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\lookupmanager.cab

MD5 23fee50b385dd11c143fb551ee19c4d7
SHA1 c06ced7278a929547aa879462aa8561b10acf1e4
SHA256 aaec871ec7a56d4c04364b1fc058f359938c624c0a039ea1826541788216cbef
SHA512 7f11d1752da6184c5ffe0cbe464751b44963e4a6797359d01a196a70c68726a42c2a2f9a900919bc3bd02206d8a1e2c27da0b3b81e575c5399d53f145ebf3792

memory/4380-565-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\logicscripts.cab

MD5 6bb42375a5a757a5061801a5b7257f36
SHA1 050fef41c3608871c1dc04a0b0bd7d362a71ddbd
SHA256 d0b2778082cd2c48ac7bc482a7c6fb8f28696fa8471c6764192e63ff990b3fc9
SHA512 3fd2ac531ad64966d16e9acb4e331cc2f05b7728fd55830fd4d43004c71b1851785e3b575477e1779f19b40b795dd90a6e7bc8b37ec4887a5dd36525e98b5aa7

memory/4380-563-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\mfw-nps.cab

MD5 7ae5439aec41ef4d6b50566f7ba22631
SHA1 73c5a634c2ea9256a73b51dc53eef4b7e86b3b5f
SHA256 0be932d06a84f96d510531a077ff0e0f2153c78e06d992c6539ef0a15ddd8a2a
SHA512 6446e0e517a44febfc91c98c901497357afb0e38c8371113ef1ff56e4b44d3471f95988e4a9deb33e74e25d5a25ca204c848573006a5020efc93811ed71633d8

memory/4380-569-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\mfw-mwb.cab

MD5 83f162f5686a8c516fc463fb9ce02ad5
SHA1 dc64e1e40623940e565266ad28db9b3439a2260b
SHA256 a7808f8f42ef66e209775640f9ca5be8a63334bbc22ae3fe622b526e7cbb3a51
SHA512 af22c14de4fe09e68384f14687a4dbb46fdea04e039802ed15e4cfeda4edf4a7cfbafa5fb8edfa8c773d73a1a3454457c8c3b53241fc283280733551e1d01e00

memory/4380-571-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\mfw-webadvisor.cab

MD5 ecdffe61209f383c9a96392a9b2aba17
SHA1 59a4fddacaafaf137e90329f57ce27f8db1c94bb
SHA256 244503206ce1c914674b6591f811ef40c7949193fffe55f2d82b030c7c888f8b
SHA512 a1b777bfb7e10a86c17f808fcd9f91728cd2ab5a371a9bfb5cd6012cc2d6819dfbefeee0a6ef1696fe3591aa7cd34dd717a2653d68fb2c254f4dc6b85f469893

memory/4380-572-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-567-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\settingmanager.cab

MD5 54cb3ac2a843966d414d9cd0af8f0a05
SHA1 f0eec3dd0fdf4f4c2f37e2e33fa517d2018335f8
SHA256 2c54b779f120ff84f4a23cbedf3e0bceaee96d89c26b208d86b2b6e82f7296d4
SHA512 5ee4f980b45b9add79f38d1531c1baada56162d770962bdc92e2660bf2d8246938065c9f0038cc238da3bee386299214f93923193ce3d8fbeff994322b1838d0

C:\Program Files\McAfee\Temp1825618398\servicehost.cab

MD5 be887eb8dc80142ee1452e0c6981a6b4
SHA1 0579008ee4a23e8a6b2cee3602113829de8acdbe
SHA256 fb7b18a604977e9273474a7a8ce977da855b01af91d256bfd8cfe2592ef91987
SHA512 9fc2a104ec0267263a3bf853d6e8058bf6769ce736db17b83a33ca0ed751f52200a44cf69f7914dc583e3b8943a5f3849cb7a9a644336d3f36f4f6ce58348bcb

C:\Program Files\McAfee\Temp1825618398\taskmanager.cab

MD5 0f7536a2421ba941de715f9aad83f9d2
SHA1 169b823e20ffba7f98ab32141056e1cbe30ad37d
SHA256 6d34c04c6ccaed5c08b7ccab7266ecf8108834038dca8576f2e1eb585c56375f
SHA512 7a4b176e16603e90014ed5db3a28fa494a72a5448d22f31c6ed8e6df9b869c7a1505af3f0f7a54ad7d8d99d0fa846bac0f80044c93a2be1ddb03913ce6d1f52c

memory/4380-578-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\resourcedll.cab

MD5 faa32d9c313222de571c8e5ef18e4ea9
SHA1 95f02778a2b2bb3450445bd1dcb0d06493c99907
SHA256 305528e6fa00696d037ee2478fbb25b0199696641a1b7085a737d3f15d4ece91
SHA512 d6347b95c3b7e8a7cc7946f7030bac3dd22ff201adfa2dd0dcff8b059832f8d903254a3cc143576dfc08b7c5493150ad9143b6eac696c0df086bfc5adc986f46

C:\Program Files\McAfee\Temp1825618398\mfw.cab

MD5 b0ac892ec32d0decd68f034cdf174bd8
SHA1 62f0568d21f8ecdd1782f77f942df664b09b0045
SHA256 6583bf6aaf1f57fdf3c152ffef70315ee5cf699fac04b709c1c789c5318babdd
SHA512 c7f21f902392a8f37cb9bb8c64a79fec2c3ef5e9b6437912fad03dde73c62885b8b9c13eb90e8f1ce667ef047fab78468c015fe9ecf2f9cacb20d56889770cfe

C:\Program Files\McAfee\Temp1825618398\uimanager.cab

MD5 33b42a11531a504edb22466fc309a9f5
SHA1 b1cccd8781e1ab808577383ec4b69445af22d0f3
SHA256 5c6d2123baa93a0624dea7ce0a83d815c572752ad37136514a744d7bda461e94
SHA512 d882fd73ea0d9f9feec4bc4f0352d814897805919ec9d0d871fd1351d3370900e99e7bdd3e9e393c891ff104e77edcb9b24dec00ea36558c671a7a534cc55cd9

C:\Program Files\McAfee\Temp1825618398\uihost.cab

MD5 aadeed1ebba0e0b2141608f55eeff20c
SHA1 ec7fbc042a2e7d434900de9f231435dc00fac412
SHA256 20e07beaa7e31432adaf239ac27f58d70cee9f9dd813e1f3db2ed6c03dc6a978
SHA512 773aa2ea2e60165e9017cc3428c82b8234dc8c5728da0fb261d4018489abb04b4a2ab6194c94381c917144c7e64ef0b50016185aad725eba3df3235a6c3399c4

C:\Program Files\McAfee\Temp1825618398\telemetry.cab

MD5 6b00fbefe1d1db8c34e7cb0df7684bc8
SHA1 11a309d6565c8d2c189ef7d686ea375d6f7dee1a
SHA256 d716d0bbbfb7dd1db379a031296279861b91340ef256f8de81c7843bc3d0992a
SHA512 def1b6e4b021bc035da6710baf622b8e84558085b5b5673016a64a3e4e36ebe1a980edd3eb81584ca1ce0e148a044847811a856460f7d42d5cdcb78d24bf5b09

C:\Program Files\McAfee\Temp1825618398\uninstaller.cab

MD5 d7183c36871d5a3888f543d45de81196
SHA1 0867779d8136f50c435ea2eebb3c18a17636b168
SHA256 34da2607d947184799fcc739e957af60fc78a1282ea8dba6881e3d679026d735
SHA512 ad18d80da6ca915034b1b129ba2a6f5e8561de22edae231ec75b0c490ef898ce7a4baa1a3af48ff6cb8459d94c64efdbeb1e1abfeb9091a6c09ac9202136c0b1

C:\Program Files\McAfee\Temp1825618398\wataskmanager.cab

MD5 3490ce3723dbd1138d2c23afd0691b42
SHA1 851d7246a90b84e9fdc6c51854822d0b70092ee8
SHA256 9c4fe9e27ba75fade354db117690025137702dcf3d313077b7709fe6daf36008
SHA512 b1e7ef6c80bb6cc92ca35b4372083adce0dd59f467da9276f74ee4fb6cf9cea1fd1bcaf340261a9976455f9f07d05fdb04d193cdac5e0730859410e21a109167

C:\Program Files\McAfee\Temp1825618398\updater.cab

MD5 fd89621097f24dc2c1f363f355003b24
SHA1 e05f4e72f1bbee859f87801db642c9bac0dd6c83
SHA256 36f738ef0ae99df5f924986b3ea8648e500d698f590e3610ba8dca92e0806b5c
SHA512 5b2ec2964cc8651b9cbdbd4c493b7836fd4924dabc6fc9c0183d409fbc965fb8360052e0dcc241ad7861dc0456410207fbfe702d19e985888c3d3793f73fef72

C:\Program Files\McAfee\Temp1825618398\wssdep.cab

MD5 820c3dde5fc34d287cf5a29034c2e27e
SHA1 ed8fe32e69078400c88519963c093aa85ab490c4
SHA256 a176ec490908ba1f8d36f33913ca5d02ab402008abf0c0bad9a27509750ea232
SHA512 ad9a2843d65001bc2dfdf1c4131d5470db525fe48ea5b3ce5304f478051d9f92c521201aac60803b9afb0baa4d19ac56682e43d86f78155107fdd577af2f3090

memory/4380-600-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\Temp1825618398\webadvisor.cab

MD5 8d6fd0a393d57ac6556efbdf1c507991
SHA1 d6c8ed7abbe25f771bcdb6dc61f43be58fa5aa82
SHA256 a64e6c3422db215508ceb35d538e08f1bef82bfa7fbe86cc1c1c9711552a7ef5
SHA512 e8918aba033755fd8105f2a30ca05256aee80d190e0dd510f02bd932485972cea2bdfbf92474bc07842fdcd21ebe8c91828b91f7cee95274641384f3cd5a7437

memory/4380-583-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-601-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-599-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-647-0x00007FF762020000-0x00007FF762030000-memory.dmp

memory/4380-604-0x00007FF7196D0000-0x00007FF7196E0000-memory.dmp

memory/4380-771-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-712-0x00007FF7431E0000-0x00007FF7431F0000-memory.dmp

memory/4380-790-0x00007FF76CE50000-0x00007FF76CE60000-memory.dmp

memory/4380-825-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-821-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-815-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll

MD5 a2402b3644314f1fa997eab8e2124a4d
SHA1 070bbc72d01bdd4e286e6d6ef5305825492a1b36
SHA256 784762aa19651907f26d1ea088d9e25d8ae71eb8d9e27a0c25fea371cb59f6b9
SHA512 e3ff3035010d4c779feda65fee113d38286a788afd1d3b15cfedf9ab8ef19070d18e5a3511452239bd7b482b62e2ec5d2b2a31627921876821707c191469dd41

memory/4380-813-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-811-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-798-0x00007FF717560000-0x00007FF717570000-memory.dmp

memory/4380-789-0x00007FF76CE50000-0x00007FF76CE60000-memory.dmp

memory/4380-745-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-743-0x00007FF717560000-0x00007FF717570000-memory.dmp

memory/4380-732-0x00007FF717560000-0x00007FF717570000-memory.dmp

memory/4380-730-0x00007FF717560000-0x00007FF717570000-memory.dmp

memory/4380-721-0x00007FF717560000-0x00007FF717570000-memory.dmp

memory/4380-720-0x00007FF717560000-0x00007FF717570000-memory.dmp

memory/4380-718-0x00007FF717560000-0x00007FF717570000-memory.dmp

memory/4380-711-0x00007FF7431E0000-0x00007FF7431F0000-memory.dmp

memory/4380-710-0x00007FF7431E0000-0x00007FF7431F0000-memory.dmp

memory/4380-709-0x00007FF7431E0000-0x00007FF7431F0000-memory.dmp

memory/4380-708-0x00007FF7431E0000-0x00007FF7431F0000-memory.dmp

memory/4380-685-0x00007FF717560000-0x00007FF717570000-memory.dmp

memory/4380-680-0x00007FF76CE50000-0x00007FF76CE60000-memory.dmp

memory/4380-764-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-635-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-627-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-625-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-611-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-605-0x00007FF7431E0000-0x00007FF7431F0000-memory.dmp

memory/4380-675-0x00007FF72FE40000-0x00007FF72FE50000-memory.dmp

memory/4380-666-0x00007FF711AB0000-0x00007FF711AC0000-memory.dmp

memory/4380-660-0x00007FF741FC0000-0x00007FF741FD0000-memory.dmp

memory/4380-638-0x00007FF703D80000-0x00007FF703D90000-memory.dmp

memory/4380-598-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-597-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-596-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-595-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 bd31a5d1ac485dd97bfc5fa7081b6fd1
SHA1 78f9132551f5d9fda7e8a2c0110890d513997de6
SHA256 d451f1d6541d5593d97589a217d5da0990be13d28b6f1db6dc4cb0dcea6aa04e
SHA512 94fdca050379c317e850d33d33f66bbe47a4caee60055bada1365f60c45a43fce307637d19e75aa18cfbd88ca28d9ce3186aecfa6f213fd9b4d031b264eb4bae

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 2afa5d232095eba1e289916886cf571a
SHA1 5e235aa8dc7b89354b1af3dbd6530befe6ba8515
SHA256 5857cbe1b7f8bb7665a536645ba2f7c262da0e4c160a54aecb51d1e173c02494
SHA512 cac689ca11977a785ed8fbd6017878cee111a32fbf39ce0579895e7591276b62b2ce9e91a702de71bcccb7f0114828d8e4702e3fab924113f7576fb70ac68d05

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 9a07603101e54de98ac4caf9fe400b55
SHA1 1293bfc7c164384babeffc1af20b8d8234e9a4de
SHA256 b660ff095a0ab9dac5581edece91349c76b50cccdc61b458742dd06bf90e3204
SHA512 35e5d36597640f17f7a65dabf3798bc0bad7c1e92d96914d29d7fb7b8e7d5cf0f246f1b0cf36a158b0e5fe6a590a9fcd388f4d954775b3b75ec606d539de9886

memory/4380-594-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-593-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-592-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-591-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-590-0x00007FF743600000-0x00007FF743610000-memory.dmp

memory/4380-589-0x00007FF743600000-0x00007FF743610000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

MD5 c7ca71a7f472503fd07dd8674e70907a
SHA1 c30ba3338ccc2c5b0eec860f64064dbcb6cf698c
SHA256 70bf1ff3b3d6c8f2b0fd141253569f606aca663a21e80cd479049a7346ec600b
SHA512 11943457887df84fa6dd33e1e90ea5f88c3b938eed668bb70e7502d8017a560cdda79e9602135a3e76d276567808192c34093d07de1dc80e8262a7c931ea5a7a

C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

MD5 135353974cbebf94b8bc48d682f8f5d8
SHA1 0d8911efa7759516fc80961ec42ed6e15764ceb8
SHA256 3da6db19e909805066bb41b1674b76b9b1946e99aefdee3ef96a0ee73b9914c1
SHA512 1896e77b05162f9624ecc2139866186260b1adfb6a1918f04f9696dde2e7b5b4c2fb64533c20abc44ea0bc42afed692381cff956a458b1fb420e5b490f26f998

memory/4052-2574-0x000001607CA80000-0x000001607CAD6000-memory.dmp

C:\Program Files\ReasonLabs\EPP\mc.dll

MD5 c85b6e5cbc8cd0cd668a95378cf2339f
SHA1 a53d71a00a4d1ee74de71543846ddbeb568b29a1
SHA256 ef6f5493f21fa5fdac8b6b669ac6dbc0923e5c7c794f075413f27ca6ebeeb4b1
SHA512 7067887375c5aa40b1732d648185a0d231b8d87a43b63fb3670dc5099a56c7c7356cce43dc48cad6e96c1585fdb2955afa8a50d3a1c7df1994e80705f76aaec2

C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

MD5 fa16d0dc50b77c9f8703b5b36d774107
SHA1 ec426639f3bf3a563491ac53b70bb5eb92e5c314
SHA256 94ad9f2b387a5e6cbd0f7b2259e37533ca80aaa69ba044db6a022661eaeb606d
SHA512 b2e50634a6a7a116c71bb56dc045f29f79abd5d831ed1ac4a4fb7ab6a452321a814b9877b1c98cc0e185c6b6cab5bfe3e9435a43f9f4d1ff4d515109779372cd

C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

MD5 4be222b0796df9d496e9ff02c389c304
SHA1 a50131cc3683aed3c32847cdd0b8b976951296ba
SHA256 ae6d512a1d4f0f4b91a699c80eb6b97acd3bc59b22375a3039d74b58b31e9c2d
SHA512 26cccea83b3f1dfe84c63cacd4698d9eea373219cdf810f5dbc1ace313b1478d753eb5547ca186076e878883b462364dd80136805d7aadabd5917cf485a55eaa

memory/4052-4184-0x000001607CB20000-0x000001607CB5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\8be0cc2f\00f86733_b4b9da01\rsJSON.DLL

MD5 fa63504382f4f3f92fa86841d9e97f29
SHA1 0bde02c98741bb24eaf501bd8e2d9738742cd042
SHA256 5f0764e1998464f63c6583f870dd3784921b752b91d8e450fe2c90153cb5e58d
SHA512 c8483d9060a6800c8dedb4d5fea7cda346f742ca1a149c3eb608823209aff1f00bfcc5b0caf9c482c7b01d75f6e198edfae3b0100cb0dca6e5b5f18336abdee5

C:\Windows\Logs\DISM\dism.log

MD5 e02fbc230169599fb8d27096c710dc4c
SHA1 5da44566ec5a1b8417323b4c3d4f4ffdc4de0ab8
SHA256 df5adb00b23afdf56f5322e3097d2a6e04a5da0f6a4c3923ba698f590a6eb767
SHA512 0c9e363d6b39155fc8c668af9ee8b2d55dd776411de07c39180b735d14279d67367654cc26a50fb94f8d0292af64996d41295bcc3f75e9a343b45f1dd7f79a4e

memory/4052-4240-0x000001607CB10000-0x000001607CB40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\b4ed0e44\00f86733_b4b9da01\rsLogger.DLL

MD5 e3fa0916f33bee8a14f28421d2dcdc9f
SHA1 fd3dca4db55e81ebffc7609c5d63a4ffbd6629b2
SHA256 29aaff11e775c800575b1a5d4160daec749dde528e68bc3b6e9b340279ed991d
SHA512 fe96efd3cf162bbb766634c3d90f707d868378dd04e47aa9d55c03e03130f54827f781639383b053c9335d022ccd6b244b67e586197c2b40d193dd58a4ee8cb6

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\d1e7a83f\8cd06033_b4b9da01\rsAtom.DLL

MD5 044d60780b0c40d3f9b0b5a3fc040948
SHA1 2e16c926f11ed5faae22d9af5d935748c57ec1f8
SHA256 7493f645bb04092aee30a47a681494251c79a38a941c9a3d2dee4293a265f428
SHA512 7653a0a46e3eb9331e92a09937754302f939100adbfb283242c25bf0f73f8508d6f7e9d5aa08dbbefdd14bf682ad7d0d77f4999b3274d329d281e22934c445ea

memory/4052-4300-0x000001607CB10000-0x000001607CB3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3C4B.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\2a9e033d\695a6a33_b4b9da01\rsServiceController.DLL

MD5 8dcd92de516608670f57193d74824a3b
SHA1 c67c347dfa47c2db1628fab8bf9906c353f33dd9
SHA256 96db49db4dd12b9f86144fedf83ac7dc12d855c5d7e3c863fd5b1696966ac345
SHA512 e5fde81ae57e68df69fc7695b9e16d8c7d188a30a4d68ffb682a3dcfedf2c028874145815aad2f957a02b0ead6ad8f1442635dfa580339816110e7b1cdbc0c0e

memory/4052-4345-0x000001607CCA0000-0x000001607CCCE000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsEngine.config

MD5 0195b6f2d3e0f5a4947f353e48e15d8c
SHA1 f29fb502b68a486ffee0c55ed343c15e5110e6f9
SHA256 52b9ff10c412162ce0ac5ece6cd56b1164c209af1ad8b3b8e334149ed6e4ea56
SHA512 65ba63d1645a1c507c2a8c4728df0f1f660f3574333925386f1b5b07f11e4e894d8404767a478a384d6a5910915ff040698c6c761047a4ce53a9fabd2d788bef

C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

MD5 8129c96d6ebdaebbe771ee034555bf8f
SHA1 9b41fb541a273086d3eef0ba4149f88022efbaff
SHA256 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51
SHA512 ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

memory/7792-4557-0x000002189F400000-0x000002189F42E000-memory.dmp

memory/7792-4621-0x000002189F400000-0x000002189F42E000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 b2ec2559e28da042f6baa8d4c4822ad5
SHA1 3bda8d045c2f8a6daeb7b59bf52295d5107bf819
SHA256 115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3
SHA512 11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

memory/7792-4636-0x00000218A1210000-0x00000218A124C000-memory.dmp

memory/7792-4635-0x000002189F8B0000-0x000002189F8C2000-memory.dmp

C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog

MD5 8a0b93abf7961a386f153a4165e099f1
SHA1 388165bcf6100b6a6c69cc51693716116e4c4896
SHA256 e1eee4a919996c03ff2a0f0a3617e48bbcdf3c41c9535466de7a02fcdcae680a
SHA512 36972b5ffdde91754c3d2a336856f9bbe9f5bc7fded2420ae8f1ba66df905b0e189327eecc6eff9deb3df29c288dfb60aa16c8f9dbe501e449b92a67aaf5edac

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 43fbbd79c6a85b1dfb782c199ff1f0e7
SHA1 cad46a3de56cd064e32b79c07ced5abec6bc1543
SHA256 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0
SHA512 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

memory/8548-4660-0x00000196E2B80000-0x00000196E2EE6000-memory.dmp

memory/8548-4661-0x00000196E2990000-0x00000196E2B0C000-memory.dmp

memory/8548-4662-0x00000196C9F80000-0x00000196C9F9A000-memory.dmp

memory/8548-4663-0x00000196CA000000-0x00000196CA022000-memory.dmp

memory/8724-4664-0x0000000005000000-0x0000000005036000-memory.dmp

memory/8724-4666-0x00000000057E0000-0x0000000005E0A000-memory.dmp

memory/8724-4668-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/8724-4667-0x00000000056F0000-0x0000000005712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3lwync5.rvj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/8724-4677-0x0000000006070000-0x00000000063C7000-memory.dmp

memory/8724-4678-0x0000000006490000-0x00000000064AE000-memory.dmp

memory/8724-4679-0x00000000064D0000-0x000000000651C000-memory.dmp

memory/8724-4680-0x0000000006A70000-0x0000000006AA4000-memory.dmp

memory/8724-4691-0x0000000007730000-0x00000000077D4000-memory.dmp

memory/8724-4690-0x0000000007480000-0x000000000749E000-memory.dmp

memory/8724-4681-0x000000006DD40000-0x000000006DD8C000-memory.dmp

memory/8724-4693-0x0000000007870000-0x000000000788A000-memory.dmp

memory/8724-4692-0x0000000007EB0000-0x000000000852A000-memory.dmp

memory/8724-4694-0x00000000078F0000-0x00000000078FA000-memory.dmp

memory/8724-4695-0x0000000007B00000-0x0000000007B96000-memory.dmp

memory/8724-4696-0x0000000007A80000-0x0000000007A91000-memory.dmp

memory/8724-4697-0x0000000007AC0000-0x0000000007ACE000-memory.dmp

memory/8724-4698-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/9104-4709-0x000000006DD40000-0x000000006DD8C000-memory.dmp

memory/3264-4727-0x000000006DD40000-0x000000006DD8C000-memory.dmp

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

MD5 4ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA1 52693d4b5e0b55a929099b680348c3932f2c3c62
SHA256 b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA512 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf

MD5 4acd5f0e312730f1d8b8805f3699c184
SHA1 67c957e102bf2b2a86c5708257bc32f91c006739
SHA256 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA512 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

C:\LDPlayer\ldmutiplayer\fonts\NotoSans-Regular.otf

MD5 1e43a59935ec1f3107fc23e350f7d9e5
SHA1 ecb98db9af622b3fbad856d38a05cb8d16476792
SHA256 7e54e2406a41157a5c7ded2a8d29ad30025ff4c5ecc1f200c40d23b378f1c538
SHA512 bf247ac6766d1df5ce8789814ebc67df23696a370fe8978d88fa3642820d8e75b404149edc74d417d713166ac404b05926d8463cbf993e7559738f956e1173fb

C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

MD5 0054560df6c69d2067689433172088ef
SHA1 a30042b77ebd7c704be0e986349030bcdb82857d
SHA256 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

MD5 3e29914113ec4b968ba5eb1f6d194a0a
SHA1 557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256 c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA512 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

MD5 e8fd6da54f056363b284608c3f6a832e
SHA1 32e88b82fd398568517ab03b33e9765b59c4946d
SHA256 b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd
SHA512 4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

MD5 52c43baddd43be63fbfb398722f3b01d
SHA1 be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA256 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA512 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

MD5 ba46e6e1c5861617b4d97de00149b905
SHA1 4affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA256 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512 bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

MD5 2d40f6c6a4f88c8c2685ee25b53ec00d
SHA1 faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA256 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA512 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

MD5 01c4246df55a5fff93d086bb56110d2b
SHA1 e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256 c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA512 39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

MD5 66df6f7b7a98ff750aade522c22d239a
SHA1 f69464fe18ed03de597bb46482ae899f43c94617
SHA256 91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f
SHA512 48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

MD5 ad9d7cbdb4b19fb65960d69126e3ff68
SHA1 dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256 a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512 f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

MD5 f96c25bb4feee47fe4111660fa0706b3
SHA1 284126ce4f80b6bfd6037f6137dee90c941e4eec
SHA256 9b5d44c60b18b36bcc1cc0e28585ae168d92239beda197d739c3e64edb229867
SHA512 b4297728f031863ccfb50de52d18f443d6ae893322e2f6b315497e187329275fbf41828867e614b35e9ff60ac6e3e1ae77d876fa8e131336c2d6a1fb6ff7db36

C:\LDPlayer\LDPlayer9\dnplayer.exe

MD5 a723044f1c511790dd0ee3a3fa68c4cf
SHA1 670e6f907c2557c9685ad26c26d6d8fee5139942
SHA256 861be3e240b075752d52c7b50c41bf22eab9314db4f11a20362c648198a0f2e4
SHA512 0fa7da71864d1abdff83d3aa01597f5902c01899513b0333bcc5d756a15be02b8c5293b55c1d88e556010f53412a7dbd27b57b63b1074565f1f6de8e2952377c

memory/3348-4866-0x0000000072BE0000-0x0000000073391000-memory.dmp

C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

MD5 4d592fd525e977bf3d832cdb1482faa0
SHA1 131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef
SHA256 f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6
SHA512 afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

MD5 6de0ef4a83aadebe5d7e07a64fc9d220
SHA1 f2162f30992ced0b882bfced0477ebf62b7ce186
SHA256 b7c4de833b0e2689724414802fbdda35d7cc1c4529eb95282fd0ffd175119008
SHA512 eebe007e0ece66c08138720bb46864470826a6b49a8edb1fd1593c4efade4bbf32c764d205383ef4745a738a1242f92e4c396abeb56e6ff9e785977ce8f646da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8294f1821fd3419c0a42b389d19ecfc6
SHA1 cd4982751377c2904a1d3c58e801fa013ea27533
SHA256 92a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a
SHA512 372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 9725e25086ffed3e5f39c4b77f15b2aa
SHA1 f85783a175ee62e75cfc7ce60d25910122c3571c
SHA256 c3a0b496570d7880e4848dcc2e157396f585e39f429b2066671aaafc4575bba1
SHA512 41a8caa5e787af6a99d2695bcfa80b1fb849e31a4b496637db66738ac99201e82b152834288131a0ecada135afb2b5467e357d7f0567eaf50574f33438d3320a

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 7d9ba33a14a59f4c0a6e5657641616d7
SHA1 8f134ce5393057693addfb489a41c3234f7091ed
SHA256 073ce4a9dee92571d7e96a34e9196d03d832d7c8ff857c3f96cc42e17c12dda3
SHA512 35d95c6320bdaf9dc12ae8f8a11fb4e7d086277cce9f46b941b3e7df348b79d1a7bb307c169daf4b6d596d7af24245658b4c9a80ef7085f149b84971e14e48ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9a752dbe97135b8505a37f750c35b4b9
SHA1 066354a741e1addd58be34fbcb8375273b773510
SHA256 4f3587a0f890c544d68c0fdeadc59af68f47932ee409164ff58036bd126da891
SHA512 49d7f98f3cafbd1c9d99a79f93b3364b488317a8f01f1bc340f7410f3659cfa38be0079f4c8651487e36b25a8a7105c7186a51f7a0f66cf05be4bb8d140c3d9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 390187670cb1e0eb022f4f7735263e82
SHA1 ea1401ccf6bf54e688a0dc9e6946eae7353b26f1
SHA256 3e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947
SHA512 602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

MD5 15a833e358fdd43fee23febf163f23a8
SHA1 2f4c48c9874c44b9c72fa126489e6076980e8068
SHA256 3346f3aae3e9711090505b57c765dcd188f6b11cd106a3c6f4df96a894416a23
SHA512 d7ae20e4a771c18f26667f0e9ad2d5712ead90c802d482ed356228db8d0ea6c8e6e59c2b5ef287f998b202517fb81565bca7d51c204e9165ab44f19d40ad41a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

MD5 76df06a31c302d4944c49e96243cd11b
SHA1 002330a2c1a721d9c2ec1b112b012dc22c5bb13f
SHA256 2414a299fa179db4e540f0fcf7a0a9ad64581a72919845a0b8337314045820e8
SHA512 01c2e93c364491a8f3eb73fcea7a16386e5b5625d6b31b553caee30e8f9c45b8a71a6784d59fcbbf41f14831a079de85d3cd8ba5b677f28a116e4c88a1321064

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

MD5 0bd999c2c81bf947c534fbfc130b85e1
SHA1 73e080f025b01ae0450a041552743ab1cf452cbc
SHA256 7bef6271860d665d878fed0e709398a6026940a3a7408d9137e4f9f54af469c0
SHA512 7e1e0e37e6ca88d56a36b4858a7d1c8b0a550f0a0211802c956f4351053f3ce0d36cc06e0413d838c89510421ff4907682424217f1356f9b66ae567a3730c27f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

MD5 89a574ff00e6b0ec61d995d059ce6e65
SHA1 aea09e96808ab77165ffa712eaa58b8f056d0bb6
SHA256 e5c29c139842fd487473d0824f2c01b374680fb35d22fa929686d17896602a44
SHA512 30d0d40bd680e61968273155b740901cdfa66670fc2af6f23e44c6b998b67cc1fcd0b51bd5f9470f209f188e75d071355e592b2a7c97f4bfd15d07d455e0909d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

MD5 0b63c1132870a72d36e8bf87fad354f2
SHA1 8f92fc171e4f86dae784d9324c3d35b93f75ec84
SHA256 8d037e317f6ff628f06d04139f5bebd8d5c0607f7a756c38c15813a2af1d2ead
SHA512 3498331109c061b3565be5c1e0c89d0f2593c16bc3a1ccf6efa4a5e0835e48d7a4fe2712ed1249ccfe99b3a23e861a5f3478425b5346ebb482813ac03a946954

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

MD5 8a42ba5472aa4afa3d3ac12f31d47408
SHA1 2add574424ac47c1e83b0b7fae5d040c46ac38a7
SHA256 759bfec59bce5ddea7751b7f93408074a8c27cb2c387b08b6b9f4aa111266ec4
SHA512 3e1081a6e1c29f6dae28ab997c551a6d107d4f4b7e0981a19ba81a30a4e420dee1791321dca8f4b500c9e7e4a41c5e5c75013a72e5a5cde3f7e6c50393eb10b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 46d1b68046be877b5af1adc72c2d5027
SHA1 9f3a3f712c1f614ada4151dc8b2fd97d09869a87
SHA256 90e7799da2b33c9c3a9d9cbe0325392bf8bdae531cbf70e74bd32144cb735524
SHA512 0197bb77d02fb072aa615feedcd7697a7c186e5910a14ce6ed3f33f4dbf07a88b1308e1fbc1e1fd2d7dac53e26269ec6c618e300854ab8e347229b58e7a022ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b65bf22ccd99bc7f83ab490462c2765a
SHA1 9fdc3bd5994fb57ff40911fd377ec4211b490e46
SHA256 f0e2ac77e93579b20fb599570cc070c817707e3553c8c9e046a0ee596dcef517
SHA512 2e865fa0e3d88bb61ed52c78182c42eee5ffaac7c2747122353708a77b36d4fd3e3db396dc90983596df7aca99a1338c5fbd467d68514f1c1dd61c5d49eef01a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23