Analysis Overview
SHA256
2e58cad322836a59a561cc746372655ead1852c9b3393c60ce403ef6262d4020
Threat Level: Known bad
The file LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
Contains code to disable Windows Defender
Possible privilege escalation attempt
Drops file in Drivers directory
Manipulates Digital Signatures
Creates new service(s)
Reads user/profile data of web browsers
Checks BIOS information in registry
Modifies file permissions
Enumerates connected drives
Adds Run key to start application
Modifies powershell logging option
Legitimate hosting services abused for malware hosting/C2
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking
AutoIT Executable
Checks computer location settings
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Checks system information in the registry
Loads dropped DLL
Checks installed software on the system
Executes dropped EXE
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Kills process with taskkill
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:15
Reported
2024-08-06 12:19
Platform
win10v2004-20240802-en
Max time kernel
157s
Max time network
204s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\rsElam.sys | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\rsElam.sys | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Windows\system32\drivers\rsCamFilter020502.sys | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Windows\system32\drivers\rsKernelEngine.sys | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "WVTAsn1IntentToSealAttributeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustInit" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "WVTAsn1SpcLinkDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened (read-only) | \??\F: | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Modifies powershell logging option
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files\McAfee\WebAdvisor\UIHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_686A447EF0220EBC1D36EF897F31F606 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A3D5BF1283C2E63D8C8A8C72F0051F5A | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5A | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FA | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_30B4D916E12169D9CB0BC7A11DE46EA6 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FA | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_C4502B2ED7ABD16FF1FA41F55DB2B363 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0FD7C8CB35A5508C225BD37696B3744C | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_686A447EF0220EBC1D36EF897F31F606 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_30B4D916E12169D9CB0BC7A11DE46EA6 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E663C78920A8217B4CBE3D45E3E6236_A0860A3E34061BC810010D272A66BEF4 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0FD7C8CB35A5508C225BD37696B3744C | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_C4502B2ED7ABD16FF1FA41F55DB2B363 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E663C78920A8217B4CBE3D45E3E6236_A0860A3E34061BC810010D272A66BEF4 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VirtualBoxVM.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-fr-CA.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\logic\aj_logic.luc | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-nl-NL.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-en-US.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2049478404\wa_install_error.png | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-dialog-balloon.css | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\securesearchtoast.luc | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxRT.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_1.png | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-tr-TR.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\rsJSON.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-nl-NL.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\dimensionhandler.luc | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\currentbrowserversion.luc | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-tr-TR.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transmitter_template.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport_api_endpoint.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\dasync.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-ko-KR.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-cs-CZ.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-ja-JP.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2049478404\browserhost.cab | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-nl-NL.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\dayssincesettingsdblookup.luc | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVBoxDbg.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-sk-SK.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\pscore.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2049478404\jslang\wa-res-shared-cs-CZ.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-ja-JP.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ext-install-toast.html | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-math-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2049478404\webadvisor.cab | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2049478404\jslang\eula-el-GR.txt | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-da-DK.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-ru-RU.js | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\arm64\elam\rsElam.sys | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Claims.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2049478404\jslang\wa-res-shared-sv-SE.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\he.pak | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\te.pak | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\twitter.png | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\wa-uninstall.html | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\suitestatus.luc | C:\Program Files\McAfee\Temp2049478404\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2049478404\jslang\wa-res-install-es-ES.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File created | C:\Program Files\McAfee\Temp2049478404\jslang\wa-res-install-ru-RU.js | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe | N/A |
| File opened for modification | C:\Program Files\McAfee\Webadvisor\Analytics\wmi.js | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tracing.dll | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\2762673D-CF40-4CAE-9AB0-47239E9A3DF1\dismhost.exe | N/A |
Executes dropped EXE
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dism.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bmp10dyf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\runonce.exe | N/A |
| Key opened | \Registry\Machine\Hardware\Description\System\CentralProcessor | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files\McAfee\WebAdvisor\updater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\ = "IUSBControllerChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7966-481D-AB0B-D0ED73E28135} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E87-11E9-8AF2-576E84223953}\ = "IBooleanFormValue" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00C2-4484-0077-C057003D9C90}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ldmnq.apk\Shell\Open\Command | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E1B7-4339-A549-F0878115596E}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\NumMethods\ = "24" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E191-400B-840E-970F3DAD7296}\NumMethods\ = "15" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\NumMethods\ = "69" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\NumMethods\ = "35" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\ = "IMousePointerShapeChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CurVer\ = "VirtualBox.VirtualBoxClient.1" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-808E-11E9-B773-133D9330F849}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7193-426C-A41F-522E8F537FA0}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\NumMethods\ = "24" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1\ = "VirtualBox Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C8E9-466B-9660-45CB3E9979E4}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C927-11E7-B788-33C248E71FC7} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-762E-4120-871C-A2014234A607}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\TypeLib | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\ = "IMediumConfigChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\ = "IDHCPGroupConfig" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5637-472A-9736-72019EABD7DE} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7708-444B-9EEF-C116CE423D39}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}\ = "IGuestFileRegisteredEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ = "IBandwidthGroup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\ = "IRecordingChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}\NumMethods\ = "31" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\ = "IMachine" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E87-11E9-8AF2-576E84223953}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4521-44CC-DF95-186E4D057C83} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Program Files\ReasonLabs\EPP\rsWSC.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 | C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\fltmc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=25567197 -language=en -path="C:\LDPlayer\LDPlayer9\"
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=5078cc0dbdc1c7191df5b38faec16fc9b56a96fd&dit=20240806121511150&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
C:\Users\Admin\AppData\Local\Temp\bmp10dyf.exe
"C:\Users\Admin\AppData\Local\Temp\bmp10dyf.exe" /silent
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe
.\UnifiedStub-installer.exe /silent
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=197184
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
C:\Program Files\McAfee\Temp2049478404\installer.exe
"C:\Program Files\McAfee\Temp2049478404\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/ldplayer
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa904c46f8,0x7ffa904c4708,0x7ffa904c4718
C:\Users\Admin\AppData\Local\Temp\2762673D-CF40-4CAE-9AB0-47239E9A3DF1\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\2762673D-CF40-4CAE-9AB0-47239E9A3DF1\dismhost.exe {E28A1BAE-5203-4DDA-B08F-0499C8A27F04}
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17808553069791182718,2713282761886356405,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
\??\c:\program files\reasonlabs\EPP\ui\EPP.exe
"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1740 --field-trial-handle=1744,i,13069939569013959853,15625229237361062024,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2092 --field-trial-handle=1744,i,13069939569013959853,15625229237361062024,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2224 --field-trial-handle=1744,i,13069939569013959853,15625229237361062024,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\program files\reasonlabs\epp\rsLitmus.A.exe
"C:\program files\reasonlabs\epp\rsLitmus.A.exe"
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3568 --field-trial-handle=1744,i,13069939569013959853,15625229237361062024,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa904c46f8,0x7ffa904c4708,0x7ffa904c4718
C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\\dnplayer.exe" downloadpackage=com.dvloper.granny|package=com.dvloper.granny
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x338
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa904c46f8,0x7ffa904c4708,0x7ffa904c4718
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1139631844858741055,9292796685308893156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.ldplayer.net | udp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| US | 8.8.8.8:53 | d19mtdoi3rn3ox.cloudfront.net | udp |
| IE | 99.86.122.171:443 | d19mtdoi3rn3ox.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.176.133.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d1arl2thrafelv.cloudfront.net | udp |
| IE | 3.162.143.31:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.122.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| IE | 3.162.143.31:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 31.143.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| IE | 13.224.68.22:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | 22.68.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.122.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.r2m02.amazontrust.com | udp |
| IE | 3.162.148.27:80 | ocsp.r2m02.amazontrust.com | tcp |
| US | 8.8.8.8:53 | 64.145.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.148.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 146.48.219.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shield.reasonsecurity.com | udp |
| US | 8.8.8.8:53 | d1arl2thrafelv.cloudfront.net | udp |
| IE | 13.224.68.49:443 | shield.reasonsecurity.com | tcp |
| IE | 3.162.143.40:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | analytics.apis.mcafee.com | udp |
| IE | 13.224.68.49:443 | shield.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 49.68.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.143.162.3.in-addr.arpa | udp |
| US | 35.167.53.9:443 | analytics.apis.mcafee.com | tcp |
| US | 8.8.8.8:53 | sadownload.mcafee.com | udp |
| US | 8.8.8.8:53 | 9.53.167.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | track.analytics-data.io | udp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| GB | 2.18.190.79:443 | sadownload.mcafee.com | tcp |
| US | 8.8.8.8:53 | update.reasonsecurity.com | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.119.202.34.in-addr.arpa | udp |
| IE | 18.66.171.29:443 | update.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | apien.ldmnq.com | udp |
| IE | 18.66.171.20:443 | apien.ldmnq.com | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | electron-shell.reasonsecurity.com | udp |
| IE | 13.224.68.100:443 | electron-shell.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| IE | 3.162.148.27:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | 29.171.66.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.171.66.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.68.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| GB | 2.18.190.79:443 | sadownload.mcafee.com | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | cdn.reasonsecurity.com | udp |
| IE | 3.162.140.37:443 | cdn.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | home.mcafee.com | udp |
| FR | 23.217.238.49:443 | home.mcafee.com | tcp |
| FR | 23.217.238.49:443 | home.mcafee.com | tcp |
| US | 8.8.8.8:53 | analytics.apis.mcafee.com | udp |
| US | 35.83.24.89:443 | analytics.apis.mcafee.com | tcp |
| US | 8.8.8.8:53 | 37.140.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.238.217.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.24.83.35.in-addr.arpa | udp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | scontent-lhr6-1.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | scontent-lhr6-2.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | scontent-lhr8-1.xx.fbcdn.net | udp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | scontent-lhr8-2.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | scontent-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | scontent-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 157.240.214.11:443 | scontent-lhr8-2.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | 16.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.214.240.157.in-addr.arpa | udp |
| US | 35.83.24.89:443 | analytics.apis.mcafee.com | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| FR | 2.21.225.223:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 223.225.21.2.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | sadownload.mcafee.com | udp |
| GB | 2.18.190.79:443 | sadownload.mcafee.com | tcp |
| US | 8.8.8.8:53 | config.reasonsecurity.com | udp |
| IE | 13.224.68.77:443 | config.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 77.68.224.13.in-addr.arpa | udp |
| FR | 2.21.225.223:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.reasonsecurity.com | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | 235.0.22.104.in-addr.arpa | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | mc6.reasonsecurity.com | udp |
| US | 52.34.150.127:443 | mc6.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 127.150.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | track.analytics-data.io | udp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | sw.symcd.com | udp |
| DE | 152.199.19.74:80 | sw.symcd.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | ocsp.thawte.com | udp |
| DE | 152.199.19.74:80 | ocsp.thawte.com | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 8.8.8.8:53 | crl.thawte.com | udp |
| SE | 192.229.221.95:80 | crl.thawte.com | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | ad.ldplayer.net | udp |
| US | 8.8.8.8:53 | en.ldplayer.net | udp |
| US | 8.8.8.8:53 | cdn.ldplayer.net | udp |
| IE | 3.162.140.94:443 | ad.ldplayer.net | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| GB | 163.181.57.235:443 | en.ldplayer.net | tcp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.130.234:443 | discord.gg | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 162.159.130.234:443 | discord.gg | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 94.140.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 162.159.137.232:443 | discord.com | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 235.57.181.163.in-addr.arpa | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | www.ldplayer.net | udp |
| GB | 163.181.57.238:443 | www.ldplayer.net | tcp |
| GB | 163.181.57.238:443 | www.ldplayer.net | tcp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | advertise.ldplayer.net | udp |
| US | 8.8.8.8:53 | 238.57.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.ldplayer.net | udp |
| US | 8.8.8.8:53 | cmp.setupcmp.com | udp |
| US | 104.26.5.6:443 | cmp.setupcmp.com | tcp |
| GB | 79.133.176.235:443 | advertise.ldplayer.net | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.26.5.6:443 | cmp.setupcmp.com | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| NL | 142.250.179.174:443 | fundingchoicesmessages.google.com | tcp |
| US | 8.8.8.8:53 | 6.5.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.136.219.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.176.133.79.in-addr.arpa | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | alliance.ldplayer.net | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 142.250.179.174:443 | www.youtube.com | udp |
| IE | 3.162.140.19:443 | alliance.ldplayer.net | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 79.133.176.235:443 | advertise.ldplayer.net | tcp |
| NL | 142.250.179.182:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | stpd.cloud | udp |
| IE | 13.224.68.22:443 | encdn.ldmnq.com | tcp |
| IE | 13.224.68.22:443 | encdn.ldmnq.com | tcp |
| IE | 13.224.68.22:443 | encdn.ldmnq.com | tcp |
| IE | 13.224.68.22:443 | encdn.ldmnq.com | tcp |
| IE | 13.224.68.22:443 | encdn.ldmnq.com | tcp |
| IE | 13.224.68.22:443 | encdn.ldmnq.com | tcp |
| US | 104.18.30.49:443 | stpd.cloud | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | ocsp.r2m01.amazontrust.com | udp |
| US | 8.8.8.8:53 | 174.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.140.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.30.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| IE | 3.162.148.27:80 | ocsp.r2m01.amazontrust.com | tcp |
| GB | 2.18.190.81:80 | apps.identrust.com | tcp |
| NL | 142.251.36.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.251.39.98:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | apien.ldplayer.net | udp |
| US | 8.8.8.8:53 | usersdk.ldmnq.com | udp |
| US | 8.8.8.8:53 | res.ldplayer.net | udp |
| IE | 3.162.140.121:443 | apien.ldplayer.net | tcp |
| SG | 8.219.223.66:443 | usersdk.ldmnq.com | tcp |
| GB | 79.133.176.235:443 | res.ldplayer.net | tcp |
| SG | 8.219.223.66:443 | usersdk.ldmnq.com | tcp |
| IE | 3.162.140.121:443 | apien.ldplayer.net | udp |
| NL | 142.251.39.98:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 81.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.140.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.googletagservices.com | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| NL | 142.250.179.134:443 | static.doubleclick.net | tcp |
| NL | 172.217.23.194:443 | www.googletagservices.com | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| NL | 172.217.23.202:443 | jnn-pa.googleapis.com | tcp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | tcp |
| SE | 192.229.221.95:80 | crl.thawte.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| NL | 142.251.36.14:443 | apis.google.com | udp |
| NL | 172.217.23.202:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| NL | 142.250.179.162:443 | securepubads.g.doubleclick.net | tcp |
| NL | 142.250.179.162:443 | securepubads.g.doubleclick.net | tcp |
| GB | 79.133.176.235:443 | res.ldplayer.net | tcp |
| US | 8.8.8.8:53 | apien.ldmnq.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| IE | 18.66.171.20:80 | apien.ldmnq.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| NL | 216.58.214.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 134.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.223.219.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tagan.adlightning.com | udp |
| US | 8.8.8.8:53 | c.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| NL | 216.58.214.14:443 | play.google.com | udp |
| IE | 13.224.68.52:443 | tagan.adlightning.com | tcp |
| US | 151.101.129.229:443 | cdn.jsdelivr.net | tcp |
| IE | 3.162.142.187:443 | c.amazon-adsystem.com | tcp |
| IE | 18.66.171.20:443 | apien.ldmnq.com | tcp |
| IE | 18.66.171.20:443 | apien.ldmnq.com | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | script.4dex.io | udp |
| US | 172.67.75.241:443 | script.4dex.io | tcp |
| US | 8.8.8.8:53 | prebid-stag.setupad.net | udp |
| US | 8.8.8.8:53 | bidder.criteo.com | udp |
| US | 8.8.8.8:53 | prebid-eu.creativecdn.com | udp |
| US | 8.8.8.8:53 | mp.4dex.io | udp |
| US | 8.8.8.8:53 | rtb.openx.net | udp |
| DE | 162.19.138.82:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | rtb.adxpremium.services | udp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| NL | 185.106.140.18:443 | rtb.adxpremium.services | tcp |
| US | 104.18.10.176:443 | mp.4dex.io | tcp |
| US | 8.8.8.8:53 | prebid.a-mo.net | udp |
| US | 172.67.68.162:443 | prebid-stag.setupad.net | tcp |
| US | 172.67.68.162:443 | prebid-stag.setupad.net | tcp |
| US | 8.8.8.8:53 | adx.adform.net | udp |
| NL | 178.250.1.8:443 | bidder.criteo.com | tcp |
| US | 8.8.8.8:53 | prg.smartadserver.com | udp |
| US | 35.186.253.211:443 | rtb.openx.net | tcp |
| US | 8.8.8.8:53 | config.aps.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | aax.amazon-adsystem.com | udp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| NL | 81.17.55.160:443 | prg.smartadserver.com | tcp |
| NL | 147.75.85.97:443 | prebid.a-mo.net | tcp |
| DK | 37.157.5.84:443 | adx.adform.net | tcp |
| IE | 13.224.68.126:443 | config.aps.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | secure.cdn.fastclick.net | udp |
| IE | 3.162.148.221:443 | aax.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | 14.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.68.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.142.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.129.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tags.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | cdn.hadronid.net | udp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| US | 172.67.75.241:443 | script.4dex.io | tcp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| US | 8.8.8.8:53 | cadmus.script.ac | udp |
| FR | 2.23.118.34:443 | secure.cdn.fastclick.net | tcp |
| FR | 2.23.118.34:443 | secure.cdn.fastclick.net | tcp |
| DE | 141.95.98.65:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | cm.adform.net | udp |
| US | 104.22.53.173:443 | cdn.hadronid.net | tcp |
| IE | 13.224.68.119:443 | tags.crwdcntrl.net | tcp |
| US | 172.67.38.106:443 | cdn.id5-sync.com | tcp |
| US | 104.18.22.145:443 | cadmus.script.ac | tcp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| DK | 37.157.5.84:443 | cm.adform.net | tcp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | id.hadron.ad.gt | udp |
| US | 8.8.8.8:53 | ssbsync-global.smartadserver.com | udp |
| US | 8.8.8.8:53 | bcp.crwdcntrl.net | udp |
| DE | 51.38.120.206:443 | onetag-sys.com | tcp |
| US | 172.67.23.234:443 | id.hadron.ad.gt | tcp |
| US | 8.8.8.8:53 | proc.ad.cpe.dotomi.com | udp |
| IE | 99.80.89.220:443 | bcp.crwdcntrl.net | tcp |
| NL | 142.251.39.97:443 | tpc.googlesyndication.com | tcp |
| NL | 142.251.39.97:443 | tpc.googlesyndication.com | tcp |
| NL | 142.251.39.97:443 | tpc.googlesyndication.com | tcp |
| NL | 142.251.39.97:443 | tpc.googlesyndication.com | tcp |
| NL | 142.251.39.97:443 | tpc.googlesyndication.com | tcp |
| NL | 89.207.16.210:443 | proc.ad.cpe.dotomi.com | tcp |
| FR | 51.178.195.212:443 | ssbsync-global.smartadserver.com | tcp |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| NL | 142.251.39.97:443 | tpc.googlesyndication.com | tcp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| IE | 13.224.68.22:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | 18.140.106.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.8.184.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.68.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.253.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.55.17.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.85.75.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.68.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.5.157.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.118.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.148.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.53.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.38.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.68.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.98.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.7.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.120.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.23.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.89.80.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.16.207.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.195.178.51.in-addr.arpa | udp |
| NL | 142.250.179.162:443 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | dce14a2b9981020b370997f4625fcd2e.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | a.ad.gt | udp |
| US | 8.8.8.8:53 | storage.googleapis.com | udp |
| NL | 142.250.179.193:443 | dce14a2b9981020b370997f4625fcd2e.safeframe.googlesyndication.com | tcp |
| US | 172.67.23.234:443 | a.ad.gt | tcp |
| NL | 172.217.168.251:443 | storage.googleapis.com | tcp |
| NL | 172.217.168.251:443 | storage.googleapis.com | tcp |
| US | 8.8.8.8:53 | play-lh.googleusercontent.com | udp |
| NL | 172.217.168.246:443 | play-lh.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 193.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.168.217.172.in-addr.arpa | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.179.131:80 | c.pki.goog | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| NL | 142.250.179.131:80 | o.pki.goog | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| GB | 79.133.176.235:443 | res.ldplayer.net | tcp |
| GB | 79.133.176.235:443 | res.ldplayer.net | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 34.202.119.205:443 | track.analytics-data.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | d9cb0b4a66458d85470ccf9b3575c0e7 |
| SHA1 | 1572092be5489725cffbabe2f59eba094ee1d8a1 |
| SHA256 | 6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05 |
| SHA512 | 94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6 |
memory/4928-12-0x0000000007220000-0x0000000007230000-memory.dmp
memory/4928-13-0x000000007251E000-0x000000007251F000-memory.dmp
memory/4928-18-0x0000000072DC0000-0x0000000072DD6000-memory.dmp
memory/4928-17-0x0000000007200000-0x0000000007216000-memory.dmp
memory/4928-20-0x0000000009BE0000-0x000000000A184000-memory.dmp
memory/4928-21-0x00000000096D0000-0x0000000009762000-memory.dmp
memory/4928-27-0x00000000037F0000-0x0000000003834000-memory.dmp
memory/4928-28-0x0000000005380000-0x000000000541C000-memory.dmp
memory/4928-29-0x00000000038C0000-0x0000000003926000-memory.dmp
memory/4928-30-0x000000000AC80000-0x000000000B1AC000-memory.dmp
memory/4928-31-0x0000000009640000-0x000000000964A000-memory.dmp
memory/4928-32-0x000000000AC00000-0x000000000AC50000-memory.dmp
memory/4928-33-0x000000000BFD0000-0x000000000C082000-memory.dmp
memory/4928-34-0x000000000BF10000-0x000000000BF2A000-memory.dmp
memory/4928-35-0x000000000BFB0000-0x000000000BFC2000-memory.dmp
memory/4928-36-0x000000000C0E0000-0x000000000C100000-memory.dmp
memory/4928-37-0x000000000C140000-0x000000000C172000-memory.dmp
memory/4928-38-0x000000000C1F0000-0x000000000C256000-memory.dmp
memory/4928-39-0x000000000C180000-0x000000000C19E000-memory.dmp
memory/4928-40-0x000000000C1D0000-0x000000000C1EA000-memory.dmp
memory/4928-41-0x0000000072510000-0x0000000072CC0000-memory.dmp
memory/4928-42-0x0000000072510000-0x0000000072CC0000-memory.dmp
memory/4928-55-0x000000007251E000-0x000000007251F000-memory.dmp
memory/4928-56-0x0000000072510000-0x0000000072CC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
| MD5 | 295fd48f0e2c206a7a9ffb2344684029 |
| SHA1 | aab845b7df327a32b8c59ba8de3b77122cd3c8dd |
| SHA256 | e95c3705229530613610b8d63dd9efecc141831bf114698b01b2c971e0539151 |
| SHA512 | d5e4331dd3e9d45bb693ca0f16c84a3c91de0e78447a212a1f00be7efbda925006975a157574cbbc8b890446068d19f317152749089337a666634f9e6dc7c6b8 |
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
| MD5 | 143255618462a577de27286a272584e1 |
| SHA1 | efc032a6822bc57bcd0c9662a6a062be45f11acb |
| SHA256 | f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4 |
| SHA512 | c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9 |
memory/5060-64-0x00000203B9830000-0x00000203B9838000-memory.dmp
memory/5060-67-0x00000203D4220000-0x00000203D4748000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bmp10dyf.exe
| MD5 | 4325f2dca7fa878a9ceb2cd37d58b980 |
| SHA1 | 542450e1185a9cd3eaa518afc4dc6540cb00d4ae |
| SHA256 | f94cf325721fca2c9baf8155656671e1b55cd90e70c53c3d71f5dd5417104fca |
| SHA512 | d4cfe4536a4cb6b4ba0d4b6d39650d5180524a67bcfb9c233ea6af6e78ba9d153a4257a19a7dd3f81d269034a45f4c79cca8d4f24cca506e8743716259c444d6 |
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\UnifiedStub-installer.exe
| MD5 | 493d5868e37861c6492f3ac509bed205 |
| SHA1 | 1050a57cf1d2a375e78cc8da517439b57a408f09 |
| SHA256 | dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f |
| SHA512 | e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d |
memory/4236-198-0x0000022FB3CF0000-0x0000022FB3DFC000-memory.dmp
memory/4236-200-0x0000022FB4200000-0x0000022FB4246000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\rsStubLib.dll
| MD5 | 3bcbeaab001f5d111d1db20039238753 |
| SHA1 | 4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8 |
| SHA256 | 897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a |
| SHA512 | de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c |
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\rsLogger.dll
| MD5 | 1cfc3fc56fe40842094c7506b165573a |
| SHA1 | 023b3b389fdfa7a9557623b2742f0f40e4784a5c |
| SHA256 | 187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2 |
| SHA512 | 6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0 |
memory/4236-202-0x0000022FB41C0000-0x0000022FB41F0000-memory.dmp
memory/4236-204-0x0000022FCE410000-0x0000022FCE4C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\Newtonsoft.Json.dll
| MD5 | 4f0f111120d0d8d4431974f70a1fdfe1 |
| SHA1 | b81833ac06afc6b76fb73c0857882f5f6d2a4326 |
| SHA256 | d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a |
| SHA512 | e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750 |
memory/4236-205-0x0000022FCE360000-0x0000022FCE382000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\rsAtom.dll
| MD5 | dc15f01282dc0c87b1525f8792eaf34e |
| SHA1 | ad4fdf68a8cffedde6e81954473dcd4293553a94 |
| SHA256 | cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998 |
| SHA512 | 54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078 |
memory/4236-210-0x0000022FCE9E0000-0x0000022FCEA0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\uninstall-epp.exe
| MD5 | 79638251b5204aa3929b8d379fa296bb |
| SHA1 | 9348e842ba18570d919f62fe0ed595ee7df3a975 |
| SHA256 | 5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d |
| SHA512 | ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9 |
memory/4236-215-0x0000022FCEA70000-0x0000022FCEAC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\Microsoft.Win32.TaskScheduler.dll
| MD5 | e6a31390a180646d510dbba52c5023e6 |
| SHA1 | 2ac7bac9afda5de2194ca71ee4850c81d1dabeca |
| SHA256 | cccc64ba9bbe3897c32f586b898f60ad0495b03a16ee3246478ee35e7f1063ec |
| SHA512 | 9fd39169769b70a6befc6056d34740629fcf680c9ba2b7d52090735703d9599455c033394f233178ba352199015a384989acf1a48e6a5b765b4b33c5f2971d42 |
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
| MD5 | f2738d0a3df39a5590c243025d9ecbda |
| SHA1 | 2c466f5307909fcb3e62106d99824898c33c7089 |
| SHA256 | 6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21 |
| SHA512 | 4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
| MD5 | 8438df60c45bacc954e5c61fe8299a54 |
| SHA1 | 4b6e3613e738cf1cb7d6cf0966b43fa939878d85 |
| SHA256 | 0ec91fd26b3cd6a6760c00028e36b26ea87192e25fc0b21aafa5f208d22a7081 |
| SHA512 | 210eb6d2d273b6d52d9c07763cf27c06efc39ba50abd6d0eac3b9b5af0ef2025c5d9f6df0568979b419d19d6760da06e78cca78898a5b370418ac56a3ae405a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
| MD5 | 9b1043f08a6f7fb28e172c324658e774 |
| SHA1 | ffd4839ec47dc548d97eb85ff1d8b2ab513b373b |
| SHA256 | 2aa8224947013de567b0e5496bb1191f3a3ad0b74ef0b8ef39c04034bd1669d6 |
| SHA512 | 2698dd01e80f9e462a476b24371e01052bb677aa6e163ef5637f09f8fc8f8d2a78a3d1b864f7aa77ab5f9fb34a946b5dab5046775c256240c5625de93248b17a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
| MD5 | 0f8ea082dcac3cf1c61d3dd6320344b5 |
| SHA1 | a764e798982fb1c6d1fc1974eb788a596709c364 |
| SHA256 | 5d59f8b5bec5bca4a58c118fb7219768727821fc7ea332ae32cde786d158201a |
| SHA512 | c87058cdc9d7644f9cc56694a110b4018509abcd95b02d350ff9aa15579062c274c7a22bba5799ee422faaac0d94c24be368ac59da8c237cf83d8bcf6a6d64f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
| MD5 | 046f12577eb4ea78a1fad7f9026e70ab |
| SHA1 | 4f4c2a9048074d56e7506de8a22c1591e08b6cb7 |
| SHA256 | 4ba06bb583690bfe9a16c6680ed872e672b9da2cb97febbda6f685f4ab7e172b |
| SHA512 | 57dc022591d77cabc79d5e1bd24fa770e45f12eb5b2a4c467df82767dc4248c5b474be1b1a2574e5336cd5b089ded1c072fd091ba23b99a552913de5516383b0 |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 8c32366769719275a9e4d9916d0fb3fb |
| SHA1 | 56123f2303dbb13f583ef1ff689d5ca26e53ba12 |
| SHA256 | 2a8774e1bf13aa2116c647953dc5e712deca53caa6d5de04f92548c0acd7bee5 |
| SHA512 | 4d69b154c572da5ea185ae147855d542744bf2aff0024a88f51f1c73c57724eb9f50277476ccbaaf585e1291b5c019154877e7289880e32fd9d20f1d8c851eab |
C:\LDPlayer\LDPlayer9\MSVCR120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
C:\LDPlayer\LDPlayer9\msvcp120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
C:\LDPlayer\LDPlayer9\crashreport.dll
| MD5 | 6fcb827fe4a5ae344eae27b53d368903 |
| SHA1 | 719c435846d0860c3c2baf27055a6d114890a8ab |
| SHA256 | bc67354096d13b85a1a13eeb7a2ad899bb35b003519756d28f145e3c040f7804 |
| SHA512 | 9659a187bccd6fa736fd187abcf57eeeb8b1323d8cc269bb9793978243abbdf830085d6e1df5da7876710ddb5cab20c79d2f53ef4acf6f4826504944fdd5e9cc |
C:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | 65eeb6cb2049e4df3a1db20f15db52ab |
| SHA1 | 10182b8c8e95079b105bbe66247fd0e8e97d4eea |
| SHA256 | 68fe01a6df81242470ceb107f630a5be3281524ec8ea6aa2182b3847271ab053 |
| SHA512 | 38ddc0fe70b3f5051a8b2dc02c8dc4be695e9f0ac31654f42c1579b5df93c9708db09e6966fa61e528035c0d47bf09e4e4be38b670670948f8c65f3dc8ab18df |
C:\LDPlayer\LDPlayer9\phones.data
| MD5 | fdee6e3ccf8b61db774884ccb810c66f |
| SHA1 | 7a6b13a61cd3ad252387d110d9c25ced9897994d |
| SHA256 | 657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4 |
| SHA512 | f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512 |
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
| MD5 | 6c847932d63660b0e0ad0b0a4b9780d2 |
| SHA1 | 17139565a23b4a6cf1891296c8d1607ec7653a94 |
| SHA256 | ed60db47b383ab1f4f50b8542d22ce992c31f450ce9d33b946a84e0ebfd3cde4 |
| SHA512 | f8bb7521fb8f24dd12ef7e59731bb5e68cac0d75ad547216d97b6069e0ad48dc9a25c7917f760841df1604fbe43335ba039c299c3e2199eb6b1f8b53c4fd6b75 |
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\x64\Reason.ArchiveUtility-x64.dll
| MD5 | 366231ab413d0ce3ad65b38b4ab3e4a6 |
| SHA1 | f52e1886563137a4124d3096d7ede5ce1cd1e578 |
| SHA256 | ed349b2e11a4c6ada76a72f2462e84551d5451088212a6e0d6fbf4904c8cc19d |
| SHA512 | 55b7e9ecab6893331f9cc045a4d60b971fb208ca6f2c12592de98f91389413f9bd5f50460f06507a9cff650b4cec73c61a633f30d1ba869b2ecc93c5a3aaaca6 |
C:\Program Files\McAfee\Temp2049478404\installer.exe
| MD5 | 7891a2a1d8a263db846292708a8ed1f0 |
| SHA1 | 4044ea34ca9d112133e3aa5aed14a7c0ea952d36 |
| SHA256 | 6bf9a3e9f2874cc5474dc107a90c0484cf26c9c817a2f23a7e004b4e611180c0 |
| SHA512 | 00abdd3086e0528063216fbb44b9bbd18890b7629579361b54f751e8a22e0a3ee4f05a483ac4c3188ebb2c85c45f6a5922e7f1db3beb1ca0303c0fcf122a220d |
C:\Users\Admin\AppData\Local\Temp\mwa74B9.tmp
| MD5 | 662de59677aecac08c7f75f978c399da |
| SHA1 | 1f85d6be1fa846e4bc90f7a29540466cf3422d24 |
| SHA256 | 1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb |
| SHA512 | e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0 |
C:\Program Files\McAfee\Temp2049478404\analyticsmanager.cab
| MD5 | 5be9597eb624a4897d79402c4cd34b6b |
| SHA1 | 0998b43ef247820ddaf7655a3ee527a64b8b41fd |
| SHA256 | 4d2c613e6cdd7ac00025b5da1329d52d63628257ff44a1686ac230f25cac2862 |
| SHA512 | 524937dc6ccfa241f96dcd7c9e9df0be6d8faa680d4b641b8a49cc687884b7e5b3a6939e516e3486c89a3a706f0ff5318581eb05edcf84b8740ff64baf110b39 |
memory/3504-712-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\browserhost.cab
| MD5 | 41840bd10dda1409adf6d83175c0d981 |
| SHA1 | b363a2922f5d69e22641bdbc3d070de324ae2d1f |
| SHA256 | a94ff5f7d7b84a416eca7f6f42d9bd012d1051b91dc574633429bce822f51c12 |
| SHA512 | 8828623e4965c88ea631010f2ede2e1c42b26183a00e50f665c37fff930956a7b4089629e24a728210fe61389dcc109386629280c3a5457e6072fe7ccd3820c1 |
memory/3504-685-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-684-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-683-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-682-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\analyticstelemetry.cab
| MD5 | f9424b351f5fd545d96ccc3458777f3a |
| SHA1 | fe13b0160e4cf4340952b4ce120ee4cc4ade29e4 |
| SHA256 | b7cbecfc093acfc824fbddac62e091b8bb04a1d0b59060e34cf715e1d93ae1c8 |
| SHA512 | dcc46a38db86aac6ba7e1083a7a5c0c9ff4aa91cfeee5c0a7ae6eb7f369521d8d575fa4261c3153a56777c851122139e781efff3ada9a1879450abd09702677a |
C:\Program Files\McAfee\Temp2049478404\browserplugin.cab
| MD5 | 253337eb5d13a9f79378de0904b0e448 |
| SHA1 | 5dcf4b41d3ec3eda26e7e25c9221643b62468962 |
| SHA256 | 05c9b53b895f9c79eb9e429f2bd11651a4b51018b9151fefe41d835212d515f5 |
| SHA512 | b7e2d2eb1dc29e1f5b87f73133ead258776aaf2ae21ba43d21d1fb91c61079cfd649be6c1aa2c2d9aa9982a1ba86978df18f677cec7b15919b1f2d44c888eef1 |
C:\Program Files\McAfee\Temp2049478404\l10n.cab
| MD5 | fca9378018e30742bc2c1fdac03fad41 |
| SHA1 | 46f9df6312920424d3f20914dab59874551f57ba |
| SHA256 | df2a4c968dce5c9a03ce10e2d0ffa243fd20b94e0d1f60d49a2709353efc4a02 |
| SHA512 | 0d39532169b19f240779129ecc49b4e582373350d51b73f3cfc91cf0b655f7845df48c57a219391926cd3105a5825f55a14db28c76be9ed9e8d9d4bfc5e54b78 |
C:\Program Files\McAfee\Temp2049478404\logicmodule.cab
| MD5 | a56c6d0e52f42d6546dfc17d1b539294 |
| SHA1 | 463071d9de6f6113d6d31890b50a49ca5af67354 |
| SHA256 | 6c9941e674abe2cce976f8bb49d11235b1563281cba8736aed383f9b79eaabf3 |
| SHA512 | 3f4a1211b17db79f276f9ae5ef9855f10780b2f8fce4d0308f672edd34399e6126e3f5694feb3c515d2d6afbd016830a987df28fc4390f5cfdb1d9d9b8e97e04 |
memory/3504-742-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\lookupmanager.cab
| MD5 | a447b6c857ae29a8b8f2e3bff007df6c |
| SHA1 | f3d245b7ef702290c82f8b6c35ef973bcc2acc99 |
| SHA256 | 55fb14f82bdb042f9a231dd069451112a2a792e711b96e593e264652c87e3b90 |
| SHA512 | 458838d2f2f9f5f4145db622dc44694a05caec9fb9d61fc7b600f108dfa5b0343dbbd99dd0a92ba938819cf4c5eb641c939cf9616d69f8ee049b8ae750e51d46 |
C:\Program Files\McAfee\Temp2049478404\mfw-webadvisor.cab
| MD5 | 0f79f075560c6c91116f4162c268ae54 |
| SHA1 | b03607d04958038477fd4dd5adb2a2dc0632d6ca |
| SHA256 | f89ab4291eae4b52e1adfa639f1776fb95ed411257a67b274e1f727e859bbc5b |
| SHA512 | f7966211c9e24eeb495a01d8185740a60634de0dfb19e1e5e78ab2c3184086ef256b68f3ca0eec7475302c13eaefe13aecd9d123fe5f3486661de3df51dadaa6 |
C:\Program Files\McAfee\Temp2049478404\mfw-nps.cab
| MD5 | b9071741dd0de141bc57f3c43a911202 |
| SHA1 | 9cef3cce37c8094a8609e39908fda7c8ade5b59b |
| SHA256 | ec74a91cfb9d3ab75b0c33fd9f92140d00d2ff0a52d5080a6aa4dcef6834bfa4 |
| SHA512 | 9e665f265f75e010ccfddb013c73e83b1d8b04eddfbc338deca8c982d5faaf4bbe2a9dc872e3d4739ec9ac29f0c74aa650effeea90d3967c8fb75d4c56032ccc |
C:\Program Files\McAfee\Temp2049478404\mfw-mwb.cab
| MD5 | eeba6fe0bf59eea07384faea7b8b57e7 |
| SHA1 | 8a7bc85e488c3063ad6fd644eaf66942d28be34a |
| SHA256 | d2c592dcd51c0ccf979634bb969eda7b4b3d69d5e9b225fe15b5a0a9a8a0a45e |
| SHA512 | 8daba71ee57042972f796afecf3c7020020a4951bc1b9fd4c867935c6539bfd85e78c794e27e99912aff7d0d2d0ddb37e727de1955fd044dd36dc8b8364a9837 |
memory/3504-747-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\logicscripts.cab
| MD5 | c1adad2f314d114594aead6816ea02bf |
| SHA1 | be8e53c61500376514848d007115293c88ea9b6d |
| SHA256 | f27e1c439d4c9ca4296b7c463ce76ea15870dbb8210c58ab4ca5f20d01112f7f |
| SHA512 | b6b5f50b81c24d801205ae9234ba5ffccdf25fe6c557fe284c83d80c7d0eac9e4f6ce5d3b2804484626269166f418476433101ab916bbfdde6535cefb876caa0 |
memory/3504-744-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-740-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\eventmanager.cab
| MD5 | cb3c3baf9d0f30958c3b9df32352a058 |
| SHA1 | ca427e00cdaa32f39fb4a6df8ba1aff5b8200f16 |
| SHA256 | 054ef467f43e73d3c5687966e8a2be5fe41ed099875ba179ea6a446cb8b75ee9 |
| SHA512 | 9567c4fc176e31a5ee06769f103c8d4d03ef6b873827b3efffc09c4329620c1d817ccf641004c419e4438f69820681b223a185ad415991be3af70d60f70ab3f2 |
C:\Program Files\McAfee\Temp2049478404\servicehost.cab
| MD5 | c8a4a500b1930513d44af040a04c3931 |
| SHA1 | 0cebba3d1012035c4799e97457c4e7a6f118d836 |
| SHA256 | a2ec67d5b61acf73159bacdbeb4bc95ffb5a51010ab5bfbffa8600da03180de0 |
| SHA512 | cbe176ee7968ea8d84792f0abe78b049f455902aba5a7c87d3ffff3cd679749d417084e27c88c1dc8de36791ac0ce3b09e0ae9818555e1d0d69deccfc58ac63c |
C:\Program Files\McAfee\Temp2049478404\resourcedll.cab
| MD5 | 05a260ee8a80494001fa1d4c7fa5a357 |
| SHA1 | 029898a55602d45dc656d43585f05748f4a10e5e |
| SHA256 | 5e6b92af5b48255e96cdb4815204b597bcb01332da99f16a33239b30f9b9e2d9 |
| SHA512 | 13adc543ed493498e1cf6d7087cec62e8dab689a9795101cf4df905dc6c3512effbb839e366c9abc1aadfebaff645cf31611e86f215e73d1fd6cb55178fb2d35 |
memory/3504-754-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\mfw.cab
| MD5 | 320a057206bdb5a7ce1a6cf9e7502557 |
| SHA1 | b851e2d941f013b74f64e50130481711460fd3a3 |
| SHA256 | 9f5c0192d1e924a9e3ef4590ec4f2483bd59da98227bb24970180b000759055f |
| SHA512 | 1393d881255bd5c7562cbc956f112d2945af6fb53a3e80744f58702211df72cc549ff02d824de3f681f38b2dac45367db3f74d12b94328e4f7942d6c2b213bac |
memory/3504-752-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-751-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\taskmanager.cab
| MD5 | 0894bdf9d21c032f464d71b1f5bd31ba |
| SHA1 | 0b60cc31217b1b24971eb39f67ba54291543fd69 |
| SHA256 | 79bd696a281c3eeaf42e5373d46e9caa7993a0ca7d07bb6d9a6e034cd7f999cf |
| SHA512 | e01a49270d2f272c0c984baf32b114a5d294ad463968fd821b82971075333937292c1026a61f135cd1eb851e2ec0d75e7766e2d61b613e40fe144ff7d2222764 |
C:\Program Files\McAfee\Temp2049478404\settingmanager.cab
| MD5 | abdcda6e45d446e3fac2227f1086b7f2 |
| SHA1 | 850a5bc7abf58be91a844ce0f4bd91a587978d2e |
| SHA256 | eedb70f956d92e3e2d7512f59c8f00637ba8f6dbc38ce357fcce0043a262006b |
| SHA512 | d64f13a94f874cb48c6dc6b2c9ab0308df81de1a4d647891961e17da7e5f9da6c2e24e8693307591f9a171c5789816aaaf73727398bde4773e6ee973323018d8 |
C:\Program Files\McAfee\Temp2049478404\uimanager.cab
| MD5 | d386a056952aa84bdc20fc2e73075102 |
| SHA1 | 7ecd4accd817e47a6b84c7e6f48eaee11fade196 |
| SHA256 | 73453d0b006e9bbf3c0d47da6740dd058d456e317e694f8c617ffa80874c7299 |
| SHA512 | 9f066df00221376ef5e790eb2c3cff8e70aea16604e5ede23294d1624b2d2746dbc46ada26dd355b15e02cafd2a11cf26267050fe5ccea1ba6a118006fe1de22 |
memory/3504-763-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\telemetry.cab
| MD5 | 656d5d8d3bccf3dddb443eeb6556dbe3 |
| SHA1 | b9c77ef1b9f64f2533086b9fc2024728b3e33034 |
| SHA256 | b09b64ea667d7638b054217d617dff83b3e2b0fec92271c4228df324124f4ef8 |
| SHA512 | 6b2a29d66ec4663cdc14137a26c663a239fae440bd6a23f07d1e585fcfc4cfcbcdc8df08475edfcde012c808b67be70e30811b13bfcc0ee80b612fee3dfd38fa |
memory/3504-759-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
C:\Program Files\McAfee\Temp2049478404\uninstaller.cab
| MD5 | 9b05a0c33183b3074bf15eb3e4188a08 |
| SHA1 | be04bf97d0120a4da92cc41a8044865a1221faee |
| SHA256 | 1fb7abd4977a7dc6f43113b21a4022b1097475f65cadd6d179ef0368beb28487 |
| SHA512 | 1fc8be40429ea83b3f6fcc8418237613bf2d53efb044a088255026f10b91a422d61b71d472a8b6e45fa5674b08d9036c82fa92277e9bd898cc1fad89f4bed1fd |
C:\Program Files\McAfee\Temp2049478404\uihost.cab
| MD5 | d4b05b3d41b6349234b48e6c0a7ad2f8 |
| SHA1 | 8d277c3eedf5a650a1ad25fc43609519aa0b773a |
| SHA256 | 93ba29bcf9b1d61cf1b8ac456141f3c2416506060741f3ee908de59451afc312 |
| SHA512 | 028006c483c103ad2fad92f18fa3ce33b312380fb995d653b9a2d386d6a7b0cb42fbcc51cc8c1a600b7be227be3840ce5afb56c14679db09c27fe317c571df69 |
C:\Program Files\McAfee\Temp2049478404\updater.cab
| MD5 | c4a33acb72e38f175643df1f4885fa08 |
| SHA1 | 2f43ae32571b98209f06e477e241ace819e9a7c0 |
| SHA256 | b870afb0e5fac44d1ba71dbf40f47991f20b54f8926bd620b2dd2f44975e509e |
| SHA512 | 9488964b486546413019ea070a3d21aabd79e017c23942706c863a9a75b26e3417227e32a10a0e8c61bf3094b26e7a49dd7ed8b33b217a330b9210f3e1357e36 |
memory/3504-761-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-779-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-775-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-774-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-773-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-772-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-771-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-770-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-769-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-768-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-767-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-885-0x00007FF739E20000-0x00007FF739E30000-memory.dmp
memory/3504-866-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
memory/3504-863-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
memory/3504-861-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
memory/3504-860-0x00007FF6F8910000-0x00007FF6F8920000-memory.dmp
memory/3504-835-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
memory/3504-832-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
memory/3504-830-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
memory/3504-825-0x00007FF6F8910000-0x00007FF6F8920000-memory.dmp
memory/3504-818-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
memory/3504-814-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
memory/3504-782-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-781-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-785-0x00007FF6DACC0000-0x00007FF6DACD0000-memory.dmp
memory/3504-780-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-778-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-777-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-776-0x00007FF72B790000-0x00007FF72B7A0000-memory.dmp
memory/3504-934-0x00007FF73AE10000-0x00007FF73AE20000-memory.dmp
memory/3504-1025-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-1007-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-1000-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-997-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-995-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-994-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-992-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-990-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-985-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-963-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-962-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-943-0x00007FF6D3040000-0x00007FF6D3050000-memory.dmp
memory/3504-932-0x00007FF730870000-0x00007FF730880000-memory.dmp
memory/3504-931-0x00007FF73AE10000-0x00007FF73AE20000-memory.dmp
memory/3504-921-0x00007FF73AE10000-0x00007FF73AE20000-memory.dmp
memory/3504-919-0x00007FF73AE10000-0x00007FF73AE20000-memory.dmp
memory/3504-917-0x00007FF73AE10000-0x00007FF73AE20000-memory.dmp
memory/3504-911-0x00007FF73AE10000-0x00007FF73AE20000-memory.dmp
memory/3504-895-0x00007FF73AE10000-0x00007FF73AE20000-memory.dmp
memory/3504-796-0x00007FF74FD30000-0x00007FF74FD40000-memory.dmp
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
| MD5 | c3451c05a80dd11046dc6385b22c6fb2 |
| SHA1 | 12c05379a1e4564da6d725bbef1d3126700bdc2e |
| SHA256 | dd3d50aa16e7ab84cc5ae2f70983059b8723d72d226a2a2a300b401496d717dc |
| SHA512 | 132afbcaca8890539136bae0a00888f75883a9cd4be6667856324a914239982a7cc66e8c5540a8b1795474b428826bd3b34b94cbec200fefed125e0f7ff43b9f |
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
| MD5 | 881692131dea6986602019810bd173b4 |
| SHA1 | e8522be15d8516719b7d953ceb4af2bf67664ec2 |
| SHA256 | 2b76c7ab98719a3fe3dffaf56c5ed9319582baf972c15dd3a1a138e5072dc2a6 |
| SHA512 | bc225403523b15dfb38c682d4812739901b8c00d27dd7b39e204c7d77d3697dd90e9142f2021100cc9f4314eb9ed35ff990aad9c739cd4192b24330e2f0ae9b4 |
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
| MD5 | bd4e67c9b81a9b805890c6e8537b9118 |
| SHA1 | f471d69f9f5fbfb23ff7d3c38b5c5d5e5c5acf27 |
| SHA256 | 916f5e284237a9604115709a6274d54cb924b912b365c84322171872502d4bf8 |
| SHA512 | 92e1d4a8a93f0bf68fc17288cd1547b2bb9131b8378fbd1ed67a54963a8974717f772e722477417f4eb6c6bb0b3dfba4e7847b20655c3d451cba04f6134c3ab5 |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 4198e7f2ee65070d3d666e754d4b3dd3 |
| SHA1 | d12fc7a09596caa9ab27a58adf176f43790cb141 |
| SHA256 | 3a8ed2ae57dff84ccbd01d89b82875f5b883fe9626ee03ceadc3f5145f3b1683 |
| SHA512 | abdde7fb6e298d4f9f6db26a255464b3c395401055209640f7beb8860d886eedcba1337cde3ff56bf36d2522d3766c105912f65df4fd34e8d8edb1061c85350c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 38f59a47b777f2fc52088e96ffb2baaf |
| SHA1 | 267224482588b41a96d813f6d9e9d924867062db |
| SHA256 | 13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b |
| SHA512 | 4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ab8ce148cb7d44f709fb1c460d03e1b0 |
| SHA1 | 44d15744015155f3e74580c93317e12d2cc0f859 |
| SHA256 | 014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff |
| SHA512 | f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8c8b8956c5a25ee5bbfde4902226b64e |
| SHA1 | 55db876b5d14a54b2960df9602368236246b28fa |
| SHA256 | b9c510ba8a8e64414fb8127b756bc99c5ac2fec35a0b0a4f74a0ac1b6fc135d7 |
| SHA512 | 8857439d5f5ab488a1cf7e3dc47d4929ab5905f1764e3f965393cac88211e9b350fca38951853f8c5d844f437bd945a436890c012a832e64a422246d9df8c165 |
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
| MD5 | c79d0cb3ac9401b35d3b64abd2eff932 |
| SHA1 | b3fa7044b0569330efd77c2278df6e73c06f808f |
| SHA256 | 42e747d2fc0e4c00c529188b090e2e588c5ecb885927f08de2444861bddb0cc7 |
| SHA512 | b532041836addf0706e20259caea931f6769690b75fdade6539060a6c5e55c7a92a2f1453f7ce2fc60bc6c56de5f9b79639047bbca209ce9a6956e29f39c64fe |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 4514be4f770c19528a3cf2a6e2bb856c |
| SHA1 | b83af49703f7936c72aae7244226bed8c14c33af |
| SHA256 | 5215f7737b6d8b222924c851b00f0cba3481465fdb4a9c1400217b900f4d7710 |
| SHA512 | 3e74d4bd4abb72ff94b00e2af9e5644c4a3d4f91478c1b19f339d045f870e52877db3a00c7a200fd64ddaa97e79c0d1139c800d434ddbb212389fdc0f04036bb |
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
| MD5 | 00b6cab6ba8e9d5197b17f57596d4f49 |
| SHA1 | 78f50610b982ca2ad8bf0043d67c5ba975e024ef |
| SHA256 | b30c10b3bd2119bf9b3e420a1b26542acf801ddfdf46480ccc11e9d81e958dea |
| SHA512 | 8df4866ba40835761c7fa4b6d857e7f83a910037e573b7dc763df44eb7b2da7c86c52964d27104ed333e00324aa7f09d343beebe6fa8b4d7129ad3ae19eadb4d |
C:\Program Files\ReasonLabs\EPP\mc.dll
| MD5 | b1e90962b3fa14291312e7f82b0eab9d |
| SHA1 | 3fe9ed4bd9ca3cc0ff34130a71d4bf44b4b59933 |
| SHA256 | 0ae59059eb797352185e590151f876962e797a78acb8ebd3ddf6400dfd6e0264 |
| SHA512 | 1443594d548ffdf75ce765486bbe99679083895e03c1242af0d9ad9eeab8ed13dbc3488b872440c5b56ab101318383aed6f25cc659d85f662a0f5504a5831d38 |
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
| MD5 | c1ee566d9d2d4c41109c73e2b7fed42c |
| SHA1 | 68f9c35a9a5cdc396f09a94425c4ae87ce9ee3f2 |
| SHA256 | 10540b6e26547eaed68893f6a0e66cdcee41db69dca3affffe0ccd0c9012d2b6 |
| SHA512 | 6b8d1fae02c5a3a4be5f653c9de50f89655050827d13add3acd8bc4d5a28072cd7aa8d618a356aa60b0cb5effbfa3eb82ea1e2fc00921b20b4fafd63807c594f |
memory/4236-2816-0x0000022FCEE80000-0x0000022FCEED0000-memory.dmp
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
| MD5 | b18e755939ccacc936879f4c16aee4c5 |
| SHA1 | dc8018d8258d0768dcb39f0aeff57eb1188d69a6 |
| SHA256 | ecbb51b5df9f788c130e71ebb9881e26ab814c3f9f521164f88aa4f521aba2df |
| SHA512 | bf1091c478bc278366175bf7e485cfbd63e5b50cc0073c043166ecebeeb7ca878845fb2ac64add35d7af654db3671b55c2daf79f4084089ba8fbe92cce5e68b5 |
memory/4236-2950-0x0000022FCF070000-0x0000022FCF0C8000-memory.dmp
memory/4236-4580-0x0000022FCF0D0000-0x0000022FCF10A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\c79d7bd2-198e-416d-80c9-c4f115bd3e45\UnifiedStub-installer.exe\assembly\dl3\2050e76e\8e00be9b_fae7da01\rsJSON.DLL
| MD5 | 422a34a07bf00303012c8f130fb51aa6 |
| SHA1 | 6e60d28383cdfe714c097ca0c85d3eeb73e2bb00 |
| SHA256 | cf155a5acf93578eefa9307a8ab6268f4ce37d493fdf4263164fffb96a92ce68 |
| SHA512 | 6c190c83359d0f99c3b680bbbf0556f0151c7304e2cfcaa44e5261629ae1488692803aed11bd3b571bf0ab7227d054c57a63e62721f5b26a360c755c5f6474af |
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\c79d7bd2-198e-416d-80c9-c4f115bd3e45\UnifiedStub-installer.exe\assembly\dl3\92d063d2\0927be9b_fae7da01\rsLogger.DLL
| MD5 | 870d12c755207b5e1b95b5a6dfe2ad27 |
| SHA1 | 85f9fa6a3d0866c323fbc9b337ea39e5aca4cd56 |
| SHA256 | e71e353a022573c8cb3fa92e98c5b7a60c7008aaba90c2b0e4b6e33cdaf8ef40 |
| SHA512 | e26ea78f3e0f4ce52155204ef50a7a26069602cb4870a91d4a1ccc580b90bb2f0ffeb6e23619fbb13542688afaa0be998b05aa984993363c7464415c1f1da784 |
memory/4236-4592-0x0000022FCF0D0000-0x0000022FCF100000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\c79d7bd2-198e-416d-80c9-c4f115bd3e45\UnifiedStub-installer.exe\assembly\dl3\6a3be9ad\2f85ad9b_fae7da01\rsAtom.DLL
| MD5 | 18be5ed564d1fda8fd535137f3aeda9e |
| SHA1 | 0fc2a790fd3ecca41e385a36c8771903756c2c76 |
| SHA256 | 18c388e8445141b41c85c567f5fd23ab4a566531dc0adf79d931cba3c58eb5ca |
| SHA512 | 4fb25c819c1a7566de6875d17ccf21268a5bdfc49517a9077be4672fe4b68af330379f46fc850a3d7c5d40333d81ca6aa4c5713542f2d0a7d93a90bdcbfa754e |
memory/4236-4604-0x0000022FCF0D0000-0x0000022FCF0FE000-memory.dmp
C:\Program Files\ReasonLabs\EPP\rsEngine.config
| MD5 | 8f0226643e7cd6f7985447cbf71e9031 |
| SHA1 | ae0df1350d61a0cff8dcc42c0f61d256f31b2efa |
| SHA256 | e69de3a71a69107346ac4723fe3b1d43910696bb98271380ac58abde714c5fc2 |
| SHA512 | f98ccb69c3aa0c80cd83210a08296421d8e2cbe801b7199f1d440afbfdc8f29e20e9bbfe509471450b4b25903433b3592b58d925b67511bc71df6a67938b5901 |
memory/4236-4617-0x0000022FCF1B0000-0x0000022FCF1E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC753E969\c79d7bd2-198e-416d-80c9-c4f115bd3e45\UnifiedStub-installer.exe\assembly\dl3\40a8edcc\229cbe9b_fae7da01\rsServiceController.DLL
| MD5 | a2125e3a8189aef14cbd8cfe059fdf53 |
| SHA1 | b1b6db623549e11ed28058aceb6b8105f999b8c0 |
| SHA256 | 337b6d848ebffe68a149103d31dc3a78d10e24ed66d8dddce3e7a9ff91da76e4 |
| SHA512 | 876d76bb5d4de73181bf14950a5b65e909131040794eb8c86a170e0f17890488adc1a39eac3175dda9a244fb8bcd189608792b8bc3ea54921152c178ddcc86e1 |
C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys
| MD5 | 8129c96d6ebdaebbe771ee034555bf8f |
| SHA1 | 9b41fb541a273086d3eef0ba4149f88022efbaff |
| SHA256 | 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51 |
| SHA512 | ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18 |
memory/7200-4694-0x0000029051990000-0x00000290519BE000-memory.dmp
memory/7200-4695-0x0000029051990000-0x00000290519BE000-memory.dmp
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
| MD5 | b2ec2559e28da042f6baa8d4c4822ad5 |
| SHA1 | 3bda8d045c2f8a6daeb7b59bf52295d5107bf819 |
| SHA256 | 115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3 |
| SHA512 | 11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01 |
memory/7200-4708-0x0000029051D90000-0x0000029051DA2000-memory.dmp
memory/7200-4709-0x0000029051E10000-0x0000029051E4C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
| MD5 | 43fbbd79c6a85b1dfb782c199ff1f0e7 |
| SHA1 | cad46a3de56cd064e32b79c07ced5abec6bc1543 |
| SHA256 | 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0 |
| SHA512 | 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea |
C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog
| MD5 | 8a0b93abf7961a386f153a4165e099f1 |
| SHA1 | 388165bcf6100b6a6c69cc51693716116e4c4896 |
| SHA256 | e1eee4a919996c03ff2a0f0a3617e48bbcdf3c41c9535466de7a02fcdcae680a |
| SHA512 | 36972b5ffdde91754c3d2a336856f9bbe9f5bc7fded2420ae8f1ba66df905b0e189327eecc6eff9deb3df29c288dfb60aa16c8f9dbe501e449b92a67aaf5edac |
memory/6316-4740-0x0000024B701D0000-0x0000024B70536000-memory.dmp
memory/6316-4741-0x0000024B6FFE0000-0x0000024B7015C000-memory.dmp
memory/6316-4743-0x0000024B57610000-0x0000024B57632000-memory.dmp
memory/6316-4742-0x0000024B575F0000-0x0000024B5760A000-memory.dmp
memory/8256-4748-0x0000028AC2500000-0x0000028AC254A000-memory.dmp
memory/8256-4749-0x0000028ADC930000-0x0000028ADC98A000-memory.dmp
memory/8256-4750-0x0000028AC4110000-0x0000028AC4138000-memory.dmp
memory/8256-4751-0x0000028AC2500000-0x0000028AC254A000-memory.dmp
memory/8256-4761-0x0000028ADCB20000-0x0000028ADCB64000-memory.dmp
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog
| MD5 | 0dd7ab115062ec8b9181580dbd12ff02 |
| SHA1 | 28a9115deb8d858c2d1e49bec5207597a547ccf0 |
| SHA256 | 2fe9b5c64e7ef21c1ea477c15eff169189bac30fd2028f84df602f52c8fc6539 |
| SHA512 | 2c1a4e5ebf7ab056d4510ea56613fec275ca1da8bb15ed8118e9192fc962833e77974a0363538cebf9ab2a1a1ff9486c3078d14b4820c2a8df803f80f94e19f1 |
memory/8256-4779-0x0000028ADCF10000-0x0000028ADD168000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1d7141be2ff648411d583cd5212e425f |
| SHA1 | 12b9eed846927450555dad1ca9df559bb302fb55 |
| SHA256 | b536c5810a79a702d43b51ef4fb1febc63b8caf547a76f984e216f50450866b6 |
| SHA512 | 95b3b0e3ce155dab42d3d6a26a78dc1fe554c45ea1d57ef43a5954be348cd9c03b01d78f31c2324e2a7f80ea12970dd6c9b02e6c185be282a5f8d2a812e83b00 |
memory/8420-4788-0x000001F454BE0000-0x000001F454C10000-memory.dmp
memory/8420-4790-0x000001F46D2F0000-0x000001F46D316000-memory.dmp
memory/8420-4789-0x000001F46D330000-0x000001F46D368000-memory.dmp
memory/8420-4911-0x000001F46D450000-0x000001F46D4BC000-memory.dmp
memory/6252-4910-0x00000183175F0000-0x000001831761A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d9742de500f7546d5701513e7bf78187 |
| SHA1 | 2cb3acdfa78b7b74235fefd3973fa17d1bfca5e8 |
| SHA256 | 961a1d59e27300e97eff2f23cdb371988c994467ff6c048bbbf2a1b83ff86671 |
| SHA512 | 35b13c10a713a70b7db564ab53d504b86f671ef1fabd194cfdba99abb9d2ebb8a7cf24054e9bc1602eefc0feab18c1979f73e27c0e5b27c885f26d07a6aba0c6 |
memory/6252-4922-0x0000018331C70000-0x0000018331E30000-memory.dmp
memory/8420-4921-0x000001F46D3E0000-0x000001F46D412000-memory.dmp
memory/8420-4924-0x000001F46D3A0000-0x000001F46D3CA000-memory.dmp
C:\Windows\Logs\DISM\dism.log
| MD5 | ef6319faa6e590fe197dec9d52d74c35 |
| SHA1 | f0a76e805f11ea1d691c3263d071112b2678c7eb |
| SHA256 | b8a1e22a92776b8611e7e944d8ece9d4e3bb4036538b5bb23c54cefcdfec036d |
| SHA512 | b9303ef59e555f226093580af13c60a0160de04e4d948b0b3ca363ce41ab09975c16f870129be4fa3aade612255517df441152736157641b4f6bc2650e31ac3d |
memory/8420-4923-0x000001F46D550000-0x000001F46D5D6000-memory.dmp
memory/8420-4940-0x000001F46E060000-0x000001F46E306000-memory.dmp
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog
| MD5 | 1068bade1997666697dc1bd5b3481755 |
| SHA1 | 4e530b9b09d01240d6800714640f45f8ec87a343 |
| SHA256 | 3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51 |
| SHA512 | 35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329 |
memory/6252-4927-0x00000183175F0000-0x000001831761A000-memory.dmp
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState
| MD5 | 362ce475f5d1e84641bad999c16727a0 |
| SHA1 | 6b613c73acb58d259c6379bd820cca6f785cc812 |
| SHA256 | 1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899 |
| SHA512 | 7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b |
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog
| MD5 | 6895e7ce1a11e92604b53b2f6503564e |
| SHA1 | 6a69c00679d2afdaf56fe50d50d6036ccb1e570f |
| SHA256 | 3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177 |
| SHA512 | 314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2 |
C:\Program Files\ReasonLabs\EDR\InstallUtil.InstallLog
| MD5 | 789f18acca221d7c91dcb6b0fb1f145f |
| SHA1 | 204cc55cd64b6b630746f0d71218ecd8d6ff84ce |
| SHA256 | a5ff0b9a9832b3f5957c9290f83552174b201aeb636964e061273f3a2d502b63 |
| SHA512 | eae74f326f7d71a228cae02e4455557ad5ca81e1e28a186bbc4797075d5c79bcb91b5e605ad1d82f3d27e16d0cf172835112ffced2dc84d15281c0185fa4fa62 |
memory/8420-5074-0x000001F46D370000-0x000001F46D3A0000-memory.dmp
memory/8420-5075-0x000001F46DDB0000-0x000001F46DE0E000-memory.dmp
memory/8420-5076-0x000001F46E310000-0x000001F46E679000-memory.dmp
memory/8420-5077-0x000001F46D500000-0x000001F46D54F000-memory.dmp
memory/8016-5078-0x000001F54D2C0000-0x000001F54D2EE000-memory.dmp
memory/8420-5080-0x000001F46DE10000-0x000001F46DE76000-memory.dmp
memory/8420-5079-0x000001F46EC60000-0x000001F46EEE6000-memory.dmp
memory/8420-5131-0x000001F454A00000-0x000001F454A26000-memory.dmp
memory/8420-5129-0x000001F46DE80000-0x000001F46DEBA000-memory.dmp
memory/8016-5150-0x000001F54D3B0000-0x000001F54D462000-memory.dmp
memory/8420-5151-0x000001F46DEC0000-0x000001F46DEE8000-memory.dmp
memory/8420-5177-0x000001F46DF30000-0x000001F46DF64000-memory.dmp
memory/8420-5176-0x000001F46E680000-0x000001F46E732000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7c2cfbeafe95096ed741ece03eeddd28 |
| SHA1 | 603ad448f2052006a1020ae8b4d35632cd38eef8 |
| SHA256 | c2840a8673a4f3578b96b734aeb710534e4728be4d5929899415dd74e9cf4700 |
| SHA512 | c709bb82c782b4d8083d3901a7e5c026e6ec423f79a8e4e049df7e4d3e28ea09814e8dc01c8405911dcbb5159826377e6982180f0e6123cfbf80723ef2849299 |
memory/8420-5189-0x000001F46DF70000-0x000001F46DF9E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6f38402e629e2fd9f6c80ed1c738a194 |
| SHA1 | 3ff17824f3bdde4623d50f809d0239a185debc99 |
| SHA256 | 52139fc6f308e882a106202c651b1f0f8983798bd58331967f71db8644ae19e3 |
| SHA512 | cf54d9d7f281dd0534f519149de21c4b6092229c875b1186f3435bba66709e4511a3b5f48d6813677843e153da9d3cbecede2b85097ad2d231d6c3506cc59573 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 641616f77274deb83352c08bda2fcdfb |
| SHA1 | ec9f2841a201f79160efcea6d5be668e75115941 |
| SHA256 | 1b5b58e6befd69eb9b3e4f69db6ec789f043eec309e296d892e881eb2eb97545 |
| SHA512 | 74146e3466eeed75cddd46c61d357d995cb8d43f07ef7701f1884879108eafb13032d92d9e783694bba085f263a5234aebd7f23e385160d8cb667ba30dc88edc |
memory/8420-5343-0x000001F46DFA0000-0x000001F46DFCA000-memory.dmp
memory/8420-5344-0x000001F46E740000-0x000001F46E7A6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4a4ec42fa566dce1cd814f0d7c32443c |
| SHA1 | 77659196e2800601526b472e5e93153d46a78115 |
| SHA256 | 211476653460d9c030d9c04a3665b7393148d7579c09748ad7783db4dcf73665 |
| SHA512 | 1b9636dbfcf2ef7cc90b7ed11baea3d89450b611256ad2717382ea25f47889bacf09082578beca4f5b423bc82ae91055cc702d1d725732e0c64f47a01b13adba |
memory/8420-5350-0x000001F470130000-0x000001F4706D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 625183f115c2711b04aa31d086b9422b |
| SHA1 | dfd93054ea9023fc9b96da1bf5b4a17d9c63d48a |
| SHA256 | 60caa77efc38ec9c22f3fcf17372be853a216810986b31e60552b672a9d7f9b4 |
| SHA512 | 1b18142bbf01e63b693787a0adfd9cb8ed0986cd810decc93e0292bc9c1ef6ea992827664b7fdc692f986f30f004e0bbbfc9208df50a07ea0bdf4da95c083bca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59d095.TMP
| MD5 | 440e499072cd66533a5036579f69a22f |
| SHA1 | b32a30304d97a1cb58813c37c0862104fbb3340a |
| SHA256 | 9db77b15334fa567c731075e124b750d5809f6262b4ca4210946e3f4302a2602 |
| SHA512 | f68a27f8c6b0ae9afd50bb2a0070c720325ecfafbc5a909541a6ebcfbd7c338292d283bef71902f0659ecec63b6804967e8a6d653c3c3cf402f8d8c4065d002f |
memory/8420-5364-0x000001F46E7B0000-0x000001F46E7F2000-memory.dmp
memory/8420-5365-0x000001F4706E0000-0x000001F470960000-memory.dmp
memory/8016-5381-0x000001F54DAC0000-0x000001F54DDB0000-memory.dmp
memory/8016-5473-0x000001F54D830000-0x000001F54D88E000-memory.dmp
memory/8420-5491-0x000001F46E010000-0x000001F46E042000-memory.dmp
memory/8016-5555-0x000001F54D8F0000-0x000001F54D906000-memory.dmp
memory/8016-5556-0x000001F54D8D0000-0x000001F54D8DA000-memory.dmp
memory/8420-5558-0x000001F46DFE0000-0x000001F46DFE8000-memory.dmp
memory/8420-5559-0x000001F46E860000-0x000001F46E886000-memory.dmp
memory/8016-5561-0x000001F54E750000-0x000001F54E75A000-memory.dmp
memory/8420-5562-0x000001F46E890000-0x000001F46E8B8000-memory.dmp
memory/8016-5560-0x000001F54E730000-0x000001F54E738000-memory.dmp
memory/8420-5563-0x000001F46EEF0000-0x000001F46EF22000-memory.dmp
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt
| MD5 | 5b8a089c048488d65c92826bc201a4bf |
| SHA1 | b28cf5713d43b6e9f3ca1f7cd12f3ba6a0a2b631 |
| SHA256 | 27eb7a3d4ce6f8a001d2020932792fa0b1f181bd62a21cc899b4f680b8571f2b |
| SHA512 | 86f931d115277eced02118a9b2cbab72ebad39c3e602cb5068466630ff03bfe5969aae0665d2f79263ebef2b4cb9341a6e0d1b0fa01ba3c24a37e72ca4fcdab9 |
memory/8420-5569-0x000001F46EC30000-0x000001F46EC54000-memory.dmp
memory/8420-5570-0x000001F46EF30000-0x000001F46EF5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ih3grufu.i2i.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp
| MD5 | 3b1ec0ce9c80815e263b14a7c0cbce34 |
| SHA1 | fc2809a8b17be8e2f3489284c521df3c6e1ed7d0 |
| SHA256 | 7bca6765c36236563953edc64a3f917764dc2a458b8ccfa17aa8156d09cd0215 |
| SHA512 | c5ee74dc93b4525dd6b02e9f1d657699da153a99741759decc575934e0084a4216c1a4ac11575dd8fe3d4a740b0e58b9f60f56feb994c77b80e541d61233ad0e |
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp
| MD5 | 8b314905a6a3aa1927f801fd41622e23 |
| SHA1 | 0e8f9580d916540bda59e0dceb719b26a8055ab8 |
| SHA256 | 88dfaf386514c73356a2b92c35e41261cd7fe9aa37f0257bb39701c11ae64c99 |
| SHA512 | 45450ae3f4a906c509998839704efdec8557933a24e4acaddef5a1e593eaf6f99cbfc2f85fb58ff2669d0c20362bb8345f091a43953e9a8a65ddcf1b5d4a7b8e |
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp
| MD5 | 2a69f1e892a6be0114dfdc18aaae4462 |
| SHA1 | 498899ee7240b21da358d9543f5c4df4c58a2c0d |
| SHA256 | b667f411a38e36cebd06d7ef71fdc5a343c181d310e3af26a039f2106d134464 |
| SHA512 | 021cc359ba4c59ec6b0ca1ea9394cfe4ce5e5ec0ba963171d07cdc281923fb5b026704eeab8453824854d11b758ac635826eccfa5bb1b4c7b079ad88ab38b346 |
C:\Users\Admin\AppData\Local\Temp\48a1635b-3596-4ccf-b70a-5cc432f2f9a8.tmp.ico
| MD5 | 85d49a7f82ddbde5598829b755b84261 |
| SHA1 | c87770057fc05f5e3088f2d5c0f38f4aeae7d516 |
| SHA256 | b79838b15a988ea1aaaead3ba1353d54085cc76008489fb42f614e96f8b46aab |
| SHA512 | cde6caf5817b5a47abdcf89448209b14b28b4e69f5968fa52dbca65a89ee8aebbd786c465ad0683a0fcb5613cd41649cf6c34f550a1b5e63c86ec1f250fd47a6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\GPUCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.34.0\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.34.0\Cache\Cache_Data\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.34.0\Cache\Cache_Data\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.34.0\Cache\Cache_Data\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt
| MD5 | 8bcf5f2aac2ace0b6dcbe1f492dce5a9 |
| SHA1 | a76f71d364122ca6b128e49405eb3ddcc1d1cc91 |
| SHA256 | 2456086f3c5ba085bba726acffa305efeffd16f2c34b0c233fc42935fa2e978d |
| SHA512 | 2ca8558fdcba42b71d1eb6604015aed19ca3579e97f4f911305b1f4bf0cd1232515b73348ac4ddb187f3f53718f63f23d2f7c5bf07faed04b15ce20d21f1b2bb |
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
| MD5 | 0054560df6c69d2067689433172088ef |
| SHA1 | a30042b77ebd7c704be0e986349030bcdb82857d |
| SHA256 | 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750 |
| SHA512 | 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0 |
C:\LDPlayer\ldmutiplayer\cximagecrt.dll
| MD5 | 66df6f7b7a98ff750aade522c22d239a |
| SHA1 | f69464fe18ed03de597bb46482ae899f43c94617 |
| SHA256 | 91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f |
| SHA512 | 48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e |
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
| MD5 | 4acd5f0e312730f1d8b8805f3699c184 |
| SHA1 | 67c957e102bf2b2a86c5708257bc32f91c006739 |
| SHA256 | 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5 |
| SHA512 | 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
| MD5 | 4ba25d2cbe1587a841dcfb8c8c4a6ea6 |
| SHA1 | 52693d4b5e0b55a929099b680348c3932f2c3c62 |
| SHA256 | b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49 |
| SHA512 | 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
| MD5 | 3e29914113ec4b968ba5eb1f6d194a0a |
| SHA1 | 557b67e372e85eb39989cb53cffd3ef1adabb9fe |
| SHA256 | c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a |
| SHA512 | 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
| MD5 | e8fd6da54f056363b284608c3f6a832e |
| SHA1 | 32e88b82fd398568517ab03b33e9765b59c4946d |
| SHA256 | b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd |
| SHA512 | 4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
| MD5 | 52c43baddd43be63fbfb398722f3b01d |
| SHA1 | be1b1064fdda4dde4b72ef523b8e02c050ccd820 |
| SHA256 | 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f |
| SHA512 | 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll
| MD5 | ba46e6e1c5861617b4d97de00149b905 |
| SHA1 | 4affc8aab49c7dc3ceeca81391c4f737d7672b32 |
| SHA256 | 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e |
| SHA512 | bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
| MD5 | 2d40f6c6a4f88c8c2685ee25b53ec00d |
| SHA1 | faf96bac1e7665aa07029d8f94e1ac84014a863b |
| SHA256 | 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334 |
| SHA512 | 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
| MD5 | 01c4246df55a5fff93d086bb56110d2b |
| SHA1 | e2939375c4dd7b478913328b88eaa3c91913cfdc |
| SHA256 | c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889 |
| SHA512 | 39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
| MD5 | ad9d7cbdb4b19fb65960d69126e3ff68 |
| SHA1 | dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d |
| SHA256 | a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326 |
| SHA512 | f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
| MD5 | 77138e2662cdeffd61cf6210ae3fb8ca |
| SHA1 | a085b99630efc74cedd0be9a0eeb57eff7b3850f |
| SHA256 | 68c83685da55573ae966db3113ee513dd76ba489024373968e527bd44d814724 |
| SHA512 | a4621910aa3ae4b5dfa558e69d0270717341467cf067d9397e2bbf118f789c87eef8750ecb25ffd9c60f51f35ceb40b211ce9a738116c4dfc06e543ac90d1bcc |
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
| MD5 | b2e3ba2084f827f2e46a917983363f0b |
| SHA1 | 41fd27f8688b7a755abc0acc72a2a6a0e1045c78 |
| SHA256 | 7daa3d35584a7e87c3e8e3afeb436d088209966471d6c766328087823f1f3e73 |
| SHA512 | 4aea989bda6efc91836264f04f23fb3760764e3ef7809f618ad949c2e64b5a167fe5d054607535ec22fea4942d9ddc5ea7f70a1f529ee23633c1cd275d90e508 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7bcae9498ab3165c1a31358bb14ea267 |
| SHA1 | 4fb295bf109b1f72a2f9df8aa83e274f9ff82518 |
| SHA256 | 05b49bda72a05e487d2cb96053d3ae6265a435284fb68638cd7ac45b0407e20a |
| SHA512 | 4e5f07700e67ddd4a77d961b18c3da2480064b54573067acf4d7f1b1073e42d034b650029617ad3926865ef9a18aeeed6418a202ef166bd8268b091e91e514ff |
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
| MD5 | b251ac8a6a30802d1101f394eed05ecb |
| SHA1 | 726b06bffdd77ac489e4b6b938d6d0482987456f |
| SHA256 | 3e26937d8912797af28f2b3d0e98cb9103ea2b2901774f61f30e4340b8931bb5 |
| SHA512 | 7caade3af5f0212beb311b8b024ef83c614c3cb51f26c221e1e50307ec036bc94c214fe1e0b05faccba571fc8c9bce2ab0bd44d55418cf660b8ccef9c428f272 |
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
| MD5 | 04f2ef83c38f01c9c87fa6ca3fbc09d5 |
| SHA1 | 4ae34e7a2ff88eb2913fa635c842bbb2d328f1b6 |
| SHA256 | 13a95c7a9ff553945b193d7884b95aa858d2b88d26c3bd365de96348f394d921 |
| SHA512 | 58203e458345f56049f71ce3cb92e8c4041f1434bc0fb82f7ce46e801e5f45461163a3d27fa63fc81aa08a5aa3ac1e10c95a90b428924cb1556a54f98929c790 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 05720cf365bb50e832db8cc0d54a0844 |
| SHA1 | 77310618e11d4b5fc3754b064c95a16da487ce5c |
| SHA256 | 15d8d17e384d1598e5f6c3fe73016a5729d246325917aa6b5278a479f95c21d3 |
| SHA512 | 0d682e1600be5e2a6c9fb2debd847c78df06b839583ed16cf64f120c4c9e210f4fd05cca7b5e9ce84afe84582a47ad67a669aac19bec94480e90eee1eaf4dcae |
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
| MD5 | 4d592fd525e977bf3d832cdb1482faa0 |
| SHA1 | 131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef |
| SHA256 | f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6 |
| SHA512 | afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2ed89667cecc67b797ab6acbfefe64fb |
| SHA1 | 66f848ebc018ebb4fd81465a940b7d4c349bc9ab |
| SHA256 | 55b6056b718e80825742907098e602b270baf7140d8441fbb7d938f434851589 |
| SHA512 | 041d5a1dc96dc8b5259f91dfa0f0d7c524b5de4fec95c0d84ae914f0406ee0bb3d40a5ab0c0ec10049a7cc9da667cfb40e9f4388cfb20056ab23c2d0d842295e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1cf07d8fab4657df4a4ed6a1ced4caf6 |
| SHA1 | 9c67f61b06cfe2615b4c1acd6d76b7357ac66519 |
| SHA256 | dd96c32b8a56f9e3e0d504b64838b0ef2f5ca2a965203145d6a0c2fbda32f0f6 |
| SHA512 | 40ad24d0804a6539923f4dffbb658335f99393fc6ccadfdb6eb17d28367e4430a4feb590bf2c3452dc350528308fa22c66a739b6680f9db6b50998fb4e782465 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1ae5db203fa00423374c881775b9546d |
| SHA1 | 8fad6d304cb0011aafc990b415fa0b8429f631e9 |
| SHA256 | ad8eb246d5b1b374cad20995933c38b783525c713f64e32c9d932c4ced0f1ea6 |
| SHA512 | b5971a3409699de91275c5cf467f66acfe4af3a6533c31502e0d2dc894757ab389457792532c9217f3e71aa3fcd84e7fdb82c33952afaa70ddfab5bc994d5942 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | acf8ced5ca7f4732b6d0d602e65ddfd6 |
| SHA1 | 0bcac7c671bde885d22b75c4dc991e85c917e535 |
| SHA256 | 3c81b88706692462b8385832a64bf1c4a6ea88fb86f71204d87e54cf61e36b83 |
| SHA512 | 070ca5cbccc63729d49f08f8cc4b0609f51fa1d42da0028c771a5b1d585ef8e28c1db9cad60f95ff7feb118c931e4332cfd58d5261cfc99e3251c7d75e9d35df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e1e611d4ea14421990a4902ccddcdd21 |
| SHA1 | 0a95ee8fb7f3188081aa28ed4512401d7ba0ab3e |
| SHA256 | 2a10acf5d85d4fbffa6914fc2dc09a63723a39cf6c34104b36f85b97beb5edb5 |
| SHA512 | f0e410f0404c16323c3930260b922bfa7643d1112b3305a585bb2c10c133062ed71ec397df08c2678a7a927eb9223b1d1f93f4de2caf4dec329a45d1cb2bbf71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d35698197e505a2b239fb1ef1062520f |
| SHA1 | d79db9af27f3b3189108716b2e8ffd94d2f5711a |
| SHA256 | eee15f5346639c73aeeffb2d79c7a10f4686979bc1d5377e2ddcc709a2bfb4d3 |
| SHA512 | 9407e81b54b431564b91600f359a4198b8e66dd5c1f4befee076f84a5517902bd34c20d39b1726bd86679265ab3ca532844956d69c162c88e5306846a51cff8c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:15
Reported
2024-08-06 12:25
Platform
win11-20240802-en
Max time kernel
425s
Max time network
426s
Command Line
Signatures
Checks installed software on the system
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dvloper.granny_25567197_ld.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.ldplayer.net | udp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| IE | 99.86.122.208:443 | d19mtdoi3rn3ox.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 186.176.133.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.122.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| IE | 3.162.143.31:443 | d1arl2thrafelv.cloudfront.net | tcp |
| IE | 3.162.143.31:443 | d1arl2thrafelv.cloudfront.net | tcp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | d9cb0b4a66458d85470ccf9b3575c0e7 |
| SHA1 | 1572092be5489725cffbabe2f59eba094ee1d8a1 |
| SHA256 | 6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05 |
| SHA512 | 94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6 |
memory/4908-12-0x0000000005ED0000-0x0000000005EE0000-memory.dmp
memory/4908-13-0x000000007263E000-0x000000007263F000-memory.dmp
memory/4908-17-0x0000000005EB0000-0x0000000005EC6000-memory.dmp
memory/4908-18-0x0000000072EF0000-0x0000000072F06000-memory.dmp
memory/4908-20-0x0000000008870000-0x0000000008E16000-memory.dmp
memory/4908-21-0x0000000004220000-0x00000000042B2000-memory.dmp
memory/4908-27-0x0000000002D30000-0x0000000002D74000-memory.dmp
memory/4908-28-0x00000000092E0000-0x000000000937C000-memory.dmp
memory/4908-29-0x0000000002E00000-0x0000000002E66000-memory.dmp
memory/4908-30-0x00000000098B0000-0x0000000009DDC000-memory.dmp
memory/4908-31-0x0000000005ED0000-0x0000000005EE0000-memory.dmp
memory/4908-32-0x000000007263E000-0x000000007263F000-memory.dmp