Malware Analysis Report

2024-11-16 12:53

Sample ID 240813-d9gp7axepp
Target LDPlayer9_id_1005_ld.exe
SHA256 8d48d0a05d581922a4d30ba98cbf51ea981a37c95fad689e0b84b979e312f6a4
Tags
discovery execution exploit persistence privilege_escalation spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8d48d0a05d581922a4d30ba98cbf51ea981a37c95fad689e0b84b979e312f6a4

Threat Level: Likely malicious

The file LDPlayer9_id_1005_ld.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution exploit persistence privilege_escalation spyware stealer

Possible privilege escalation attempt

Creates new service(s)

Manipulates Digital Signatures

Drops file in Drivers directory

Reads user/profile data of web browsers

Modifies file permissions

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Event Triggered Execution: Component Object Model Hijacking

Drops file in System32 directory

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Runs net.exe

Checks processor information in registry

Modifies registry class

Modifies system certificate store

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Kills process with taskkill

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 03:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 03:42

Reported

2024-08-13 03:45

Platform

win11-20240802-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe"

Signatures

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\rsCamFilter020502.sys C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Windows\system32\drivers\rsKernelEngine.sys C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Windows\system32\drivers\rsElam.sys C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File opened for modification C:\Windows\system32\drivers\rsElam.sys C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubInitialize" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadMessage" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkDecode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubDefCertInit" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\FuncName = "WVTAsn1SpcPeImageDataEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "WintrustCertificateTrust" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\FuncName = "WVTAsn1IntentToSealAttributeEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkDecode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust" C:\Windows\SysWOW64\regsvr32.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\rundll32.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-pt-PT.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\suitestatus.luc C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\operations.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\ldplayer9box\NetLwfInstall.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-checklist-risk.png C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\webadvisor.mcafee.firefox.extension.json C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport_event_hub.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-es-MX.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\browsernavigate.luc C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sl.pak C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\dataset.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\Temp2402300030\jslang\eula-en-US.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\dimensionconfig.luc C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-ko-KR.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-pt-PT.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-sv-SE.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Csp.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxDD.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\win32\wssdep.dll C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-it-IT.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ldplayer9box\ldutils.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\NetLwfUninstall.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxAuthSimple.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxRes.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxTestOGL.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-tr-TR.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\user_welcome.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\McAfee\Temp2402300030\mcafee_pc_install_icon.png C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-pt-PT.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\arm64\rsJournal-ARM64.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-ko-KR.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-ja-JP.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\platforms\qwindows.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\UICommon.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File opened for modification C:\Program Files\McAfee\Webadvisor\Analytics\operations.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-fr-CA.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\contexthandler.luc C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File opened for modification C:\Program Files\ReasonLabs\Common\Stub\v6.0.6\Stub.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxInstallHelper.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\postinit.luc C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-fr-FR.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-BR.pak C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxCAPI.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-de-DE.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\browserinformation.luc C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport_ai.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-ja-JP.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-tr-TR.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\Temp2402300030\jslang\wa-res-install-zh-TW.js C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\smart_toasting\smart_toast_config_selector.luc C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-sv-SE.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\pscore.js C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\Temp2402300030\jslang\eula-cs-CZ.txt C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\SysWOW64\dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe N/A
N/A N/A C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\driverconfig.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnplayer.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\vbox-img.exe N/A
N/A N/A C:\Program Files\ldplayer9box\vbox-img.exe N/A
N/A N/A C:\Program Files\ldplayer9box\vbox-img.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Program Files\McAfee\Temp2402300030\installer.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dism.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\LDPlayer\LDPlayer9\dnplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\LDPlayer\LDPlayer9\driverconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\LDPlayer\LDPlayer9\dnplayer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\LDPlayer\LDPlayer9\dnplayer.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION C:\LDPlayer\LDPlayer9\dnplayer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" C:\LDPlayer\LDPlayer9\dnplayer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" C:\LDPlayer\LDPlayer9\dnplayer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C}\ProxyStubClsid32 C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\TypeLib C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3\ = "VirtualBox Type Library" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32 C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E64A-4908-804E-371CAD23A756}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\ = "IUSBDeviceStateChangedEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\NumMethods\ = "15" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}\NumMethods\ = "37" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-d4fc-485f-8613-5af88bfcfcdc} C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ = "IAdditionsStateChangedEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\NumMethods C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\TypeLib C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ldmnq.ldbk\Shell C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CurVer C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1207-4179-94CF-CA250036308F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\TypeLib C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\ = "IMachineStateChangedEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-057D-4391-B928-F14B06B710C5}\ = "IGuestFileEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5fdc-4aba-aff5-6a39bbd7c38b} C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7708-444B-9EEF-C116CE423D39} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-71B2-4817-9A64-4ED12C17388E}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-d612-47d3-89d4-db3992533948} C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5FDC-4ABA-AFF5-6A39BBD7C38B}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\ProgId C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ = "IGuestPropertyChangedEvent" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7bdc-11e9-8bc2-8ffdb8b19219} C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9641-4397-854A-040439D0114B}\ = "IGuestScreenInfo" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1F8B-4692-ABB4-462429FAE5E9}\NumMethods C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C927-11E7-B788-33C248E71FC7} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\ProxyStubClsid32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\TypeLib\Version = "1.3" C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\TypeLib C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ProxyStubClsid32 C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-762E-4120-871C-A2014234A607}\TypeLib C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4521-44CC-DF95-186E4D057C83}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\TypeLib C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\ = "ISnapshotChangedEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\ProxyStubClsid32 C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\NumMethods\ = "44" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1\ = "VirtualBox Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ = "IUSBController" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D545-44AA-8013-181B8C288554}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\ = "IProgress" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\LDPlayer\LDPlayer9\dnplayer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\fltmc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\LDPlayer\LDPlayer9\dnplayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2788 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 2276 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe
PID 2276 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe
PID 2276 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe
PID 3560 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe
PID 3560 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe
PID 4608 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 4608 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 2788 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 2788 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 2788 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 1668 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
PID 1668 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
PID 228 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe C:\Program Files\McAfee\Temp2402300030\installer.exe
PID 228 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe C:\Program Files\McAfee\Temp2402300030\installer.exe
PID 5048 wrote to memory of 2016 N/A C:\Program Files\McAfee\Temp2402300030\installer.exe C:\Windows\System32\Conhost.exe
PID 5048 wrote to memory of 2016 N/A C:\Program Files\McAfee\Temp2402300030\installer.exe C:\Windows\System32\Conhost.exe
PID 2016 wrote to memory of 5028 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2016 wrote to memory of 5028 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2016 wrote to memory of 5028 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5048 wrote to memory of 3092 N/A C:\Program Files\McAfee\Temp2402300030\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 5048 wrote to memory of 3092 N/A C:\Program Files\McAfee\Temp2402300030\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 1860 wrote to memory of 2168 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 1860 wrote to memory of 2168 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 1860 wrote to memory of 2168 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 2168 wrote to memory of 4724 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 2168 wrote to memory of 4724 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 2168 wrote to memory of 4724 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 4724 wrote to memory of 1112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4724 wrote to memory of 1112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4724 wrote to memory of 1112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2168 wrote to memory of 5040 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 5040 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 5040 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2008 wrote to memory of 4040 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\UIHost.exe
PID 2008 wrote to memory of 4040 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\UIHost.exe
PID 2168 wrote to memory of 4896 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 4896 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 4896 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2320 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2320 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2320 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2256 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2256 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2256 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2916 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2916 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2916 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 676 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 676 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 676 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 3436 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 3436 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_id_1005_ld.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayerex.exe /T

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM bugreport.exe /T

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=7ffaa80fde0a371eb37cb0b0c890e69cac9dcb7f&dit=20240813034202885&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i

C:\LDPlayer\LDPlayer9\LDPlayer.exe

"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1005 -language=id -path="C:\LDPlayer\LDPlayer9\"

C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe

"C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe" /silent

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe

.\UnifiedStub-installer.exe /silent

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp2402300030\installer.exe

"C:\Program Files\McAfee\Temp2402300030\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\LDPlayer\LDPlayer9\dnrepairer.exe

"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=393798

C:\Windows\SysWOW64\net.exe

"net" start cryptsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start cryptsvc

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Softpub.dll /s

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Wintrust.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" dssenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" rsaenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" cryptdlg.dll /s

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\dism.exe

C:\Windows\system32\dism.exe /Online /English /Get-Features

C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\4BE8EA94-8DE3-45A0-87CA-12F78E045474\dismhost.exe {DF3D3D03-2E6A-4EEC-8F50-2BAEC44085F6}

C:\Program Files\McAfee\WebAdvisor\updater.exe

"C:\Program Files\McAfee\WebAdvisor\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" start Ld9BoxSup

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow

C:\LDPlayer\LDPlayer9\driverconfig.exe

"C:\LDPlayer\LDPlayer9\driverconfig.exe"

C:\Windows\SysWOW64\takeown.exe

"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff817733cb8,0x7ff817733cc8,0x7ff817733cd8

C:\LDPlayer\LDPlayer9\dnplayer.exe

"C:\LDPlayer\LDPlayer9\\dnplayer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5108 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5192 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,13525987445590544849,15505717450069222167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.ldplayer.net udp
GB 18.172.153.86:443 cdn.ldplayer.net tcp
ES 108.157.108.196:443 d19mtdoi3rn3ox.cloudfront.net tcp
US 8.8.8.8:53 145.178.204.143.in-addr.arpa udp
US 8.8.8.8:53 86.153.172.18.in-addr.arpa udp
US 8.8.8.8:53 224.244.67.18.in-addr.arpa udp
US 8.8.8.8:53 196.108.157.108.in-addr.arpa udp
US 8.8.8.8:53 113.216.138.108.in-addr.arpa udp
ES 52.85.187.85:443 d1arl2thrafelv.cloudfront.net tcp
ES 52.85.187.85:443 d1arl2thrafelv.cloudfront.net tcp
ES 108.157.125.77:443 encdn.ldmnq.com tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
GB 216.137.34.105:443 d1arl2thrafelv.cloudfront.net tcp
ES 18.154.22.44:443 shield.reasonsecurity.com tcp
US 44.237.252.113:443 analytics.apis.mcafee.com tcp
ES 18.154.22.44:443 shield.reasonsecurity.com tcp
GB 92.123.142.66:443 sadownload.mcafee.com tcp
US 3.86.130.103:443 track.analytics-data.io tcp
US 3.86.130.103:443 track.analytics-data.io tcp
GB 18.154.84.124:443 update.reasonsecurity.com tcp
US 3.86.130.103:443 track.analytics-data.io tcp
US 3.86.130.103:443 track.analytics-data.io tcp
GB 108.156.46.124:443 electron-shell.reasonsecurity.com tcp
US 3.86.130.103:443 track.analytics-data.io tcp
US 3.86.130.103:443 track.analytics-data.io tcp
IE 52.111.236.22:443 tcp
GB 18.239.236.103:443 apiid.ldmnq.com tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
US 52.4.144.18:443 track.analytics-data.io tcp
US 52.4.144.18:443 track.analytics-data.io tcp
GB 23.214.142.196:443 home.mcafee.com tcp
GB 92.123.142.66:443 sadownload.mcafee.com tcp
US 44.237.252.113:443 analytics.apis.mcafee.com tcp
US 52.4.144.18:443 track.analytics-data.io tcp
US 52.4.144.18:443 track.analytics-data.io tcp
ES 108.157.125.51:443 cdn.reasonsecurity.com tcp
US 52.4.144.18:443 track.analytics-data.io tcp
US 52.4.144.18:443 track.analytics-data.io tcp
US 52.4.144.18:443 track.analytics-data.io tcp
US 52.4.144.18:443 track.analytics-data.io tcp
GB 184.25.193.234:80 www.microsoft.com tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
GB 92.123.143.232:443 sadownload.mcafee.com tcp
US 44.237.252.113:443 analytics.apis.mcafee.com tcp
US 44.237.252.113:443 analytics.apis.mcafee.com tcp
US 44.237.252.113:443 analytics.apis.mcafee.com tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
ES 108.157.125.105:443 ad.ldplayer.net tcp
ES 108.157.98.31:443 cdn.ldplayer.net tcp
ES 108.157.98.31:443 cdn.ldplayer.net tcp
GB 163.181.57.238:443 en.ldplayer.net tcp
ES 108.157.98.31:443 cdn.ldplayer.net tcp
ES 108.157.98.31:443 cdn.ldplayer.net tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
ES 108.157.98.31:443 cdn.ldplayer.net tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
GB 79.133.176.235:443 res.ldplayer.net tcp
US 162.159.133.234:443 discord.gg tcp
US 162.159.133.234:443 discord.gg tcp
GB 79.133.176.235:443 res.ldplayer.net tcp
US 162.159.137.232:443 discord.com tcp
GB 79.133.176.235:443 res.ldplayer.net tcp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
ES 108.157.125.20:443 encdn.ldmnq.com tcp
GB 79.133.176.235:443 res.ldplayer.net tcp
GB 79.133.176.235:443 res.ldplayer.net tcp
GB 79.133.176.235:443 res.ldplayer.net tcp
ES 108.157.125.105:443 ad.ldplayer.net tcp
GB 79.133.176.235:443 res.ldplayer.net tcp
GB 79.133.176.235:443 res.ldplayer.net tcp
ES 108.157.98.31:443 cdn.ldplayer.net tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
ES 108.157.125.20:443 encdn.ldmnq.com tcp
NL 172.217.168.246:443 play-lh.googleusercontent.com tcp
NL 142.250.179.131:80 o.pki.goog tcp
NL 142.250.179.131:80 o.pki.goog tcp
NL 142.250.179.131:80 o.pki.goog tcp
GB 79.133.176.235:443 res.ldplayer.net tcp
N/A 224.0.0.251:5353 udp
GB 79.133.176.235:443 res.ldplayer.net tcp
GB 18.239.236.103:80 apiid.ldmnq.com tcp
GB 18.239.236.103:443 apiid.ldmnq.com tcp
ES 108.157.98.31:443 cdn.ldplayer.net tcp
ES 108.157.125.105:443 ad.ldplayer.net tcp
ES 108.157.118.26:80 ocsp.r2m03.amazontrust.com tcp
GB 18.239.236.103:443 apiid.ldmnq.com tcp
N/A 127.0.0.1:6463 tcp
N/A 127.0.0.1:6464 tcp
N/A 127.0.0.1:6465 tcp
N/A 127.0.0.1:6466 tcp
N/A 127.0.0.1:6467 tcp
N/A 127.0.0.1:6468 tcp
N/A 127.0.0.1:6469 tcp
N/A 127.0.0.1:6470 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

MD5 d9cb0b4a66458d85470ccf9b3575c0e7
SHA1 1572092be5489725cffbabe2f59eba094ee1d8a1
SHA256 6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05
SHA512 94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6

memory/2788-12-0x0000000005B40000-0x0000000005B50000-memory.dmp

memory/2788-13-0x000000007329E000-0x000000007329F000-memory.dmp

memory/2788-17-0x0000000008130000-0x0000000008146000-memory.dmp

memory/2788-18-0x0000000073BB0000-0x0000000073BC6000-memory.dmp

memory/2788-20-0x0000000008730000-0x0000000008CD6000-memory.dmp

memory/2788-21-0x0000000008670000-0x0000000008702000-memory.dmp

memory/2788-33-0x0000000005C90000-0x0000000005CD4000-memory.dmp

memory/2788-34-0x0000000009150000-0x00000000091EC000-memory.dmp

memory/2788-35-0x0000000005D60000-0x0000000005DC6000-memory.dmp

memory/2788-36-0x0000000009B90000-0x000000000A0BC000-memory.dmp

memory/2788-37-0x0000000002F00000-0x0000000002F0A000-memory.dmp

memory/2788-38-0x000000000AB90000-0x000000000ABE0000-memory.dmp

memory/2788-39-0x000000000AD40000-0x000000000ADF2000-memory.dmp

memory/2788-40-0x000000000ACE0000-0x000000000ACFA000-memory.dmp

memory/2788-41-0x000000000AE50000-0x000000000AE62000-memory.dmp

memory/2788-42-0x000000000AEC0000-0x000000000AEE0000-memory.dmp

memory/2788-43-0x000000000AF20000-0x000000000AF52000-memory.dmp

memory/2788-44-0x000000000AFD0000-0x000000000B036000-memory.dmp

memory/2788-45-0x000000000AF80000-0x000000000AF9E000-memory.dmp

memory/2788-46-0x000000000AFA0000-0x000000000AFBA000-memory.dmp

memory/2788-47-0x0000000073290000-0x0000000073A41000-memory.dmp

memory/2788-48-0x0000000073290000-0x0000000073A41000-memory.dmp

memory/2788-52-0x0000000005B40000-0x0000000005B50000-memory.dmp

memory/2788-53-0x000000007329E000-0x000000007329F000-memory.dmp

memory/2788-54-0x0000000073290000-0x0000000073A41000-memory.dmp

memory/2788-55-0x0000000073290000-0x0000000073A41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

MD5 143255618462a577de27286a272584e1
SHA1 efc032a6822bc57bcd0c9662a6a062be45f11acb
SHA256 f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4
SHA512 c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

MD5 36d26660020002cbb57bc855dcdcfacb
SHA1 fff0c9ec668a437c12138bf4f17145c79c2e31ce
SHA256 1f515b4489b1658d214a2de7396cea76770513dd24a38050a1ba781b80aa55cc
SHA512 8cf4f6f3cd0752d682b72d0a6db2eae103ea6ab12740c4ad78be23ca696598239c211849823df1633279177f26cde4f94cc20fd0237a9216e924c787ac48fb76

memory/2276-69-0x000001B3F2AC0000-0x000001B3F2AC8000-memory.dmp

memory/2276-70-0x000001B3F5680000-0x000001B3F5BA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0qssuwap.exe

MD5 0cabcfa08f7f8f277a072f0ee8e258a9
SHA1 12466998256bea3a36b77a94961ac84d5b6c7ebe
SHA256 ccd3ae59bb523021328f39ab484ae934ea3cae1a9a8abcbfc0f67964c67fff30
SHA512 b5854587e53bcd80e1729c77a000516ddf1df8d9b3bf9ff1cf6c007611024161796f91eb8329dd58ef919b04fea5e37b7d60dcbe2a1461edc2773d46fd32dc23

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\UnifiedStub-installer.exe

MD5 493d5868e37861c6492f3ac509bed205
SHA1 1050a57cf1d2a375e78cc8da517439b57a408f09
SHA256 dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f
SHA512 e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d

memory/4608-199-0x0000025E4D690000-0x0000025E4D6D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\rsLogger.dll

MD5 1cfc3fc56fe40842094c7506b165573a
SHA1 023b3b389fdfa7a9557623b2742f0f40e4784a5c
SHA256 187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2
SHA512 6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0

memory/4608-201-0x0000025E4D640000-0x0000025E4D670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\rsStubLib.dll

MD5 3bcbeaab001f5d111d1db20039238753
SHA1 4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8
SHA256 897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a
SHA512 de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c

memory/4608-197-0x0000025E4D0F0000-0x0000025E4D1FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\Newtonsoft.Json.dll

MD5 4f0f111120d0d8d4431974f70a1fdfe1
SHA1 b81833ac06afc6b76fb73c0857882f5f6d2a4326
SHA256 d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a
SHA512 e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750

memory/4608-203-0x0000025E68380000-0x0000025E68432000-memory.dmp

memory/4608-204-0x0000025E4D710000-0x0000025E4D732000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\rsAtom.dll

MD5 dc15f01282dc0c87b1525f8792eaf34e
SHA1 ad4fdf68a8cffedde6e81954473dcd4293553a94
SHA256 cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998
SHA512 54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078

memory/4608-206-0x0000025E4F080000-0x0000025E4F0AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\uninstall-epp.exe

MD5 79638251b5204aa3929b8d379fa296bb
SHA1 9348e842ba18570d919f62fe0ed595ee7df3a975
SHA256 5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d
SHA512 ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9

memory/4608-211-0x0000025E686A0000-0x0000025E686F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\Microsoft.Win32.TaskScheduler.dll

MD5 e6a31390a180646d510dbba52c5023e6
SHA1 2ac7bac9afda5de2194ca71ee4850c81d1dabeca
SHA256 cccc64ba9bbe3897c32f586b898f60ad0495b03a16ee3246478ee35e7f1063ec
SHA512 9fd39169769b70a6befc6056d34740629fcf680c9ba2b7d52090735703d9599455c033394f233178ba352199015a384989acf1a48e6a5b765b4b33c5f2971d42

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\rsSyncSvc.exe

MD5 f2738d0a3df39a5590c243025d9ecbda
SHA1 2c466f5307909fcb3e62106d99824898c33c7089
SHA256 6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21
SHA512 4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

MD5 203a048e75440a7a52082d5c52a64b57
SHA1 ca22ad661519a33b0b6f17acc65531773df7e5b5
SHA256 dda8e2ab8d8107769f3f7189b92f51528550ce02b8002880cc473dd632f13506
SHA512 9c41c27416eb571c082b248bfa150d0d9deb4f67820537099766e5726d98e9b0d1d46f230319ad580488eb39ac763214b30df101aaad28d9c2b61af66922ebf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

MD5 f9b3b7a585a03425a35a4b7ac43ebffe
SHA1 3d414f8e59faa4211a13ec264643258191415754
SHA256 df18e3aa74d2db240fadeb3181dd27273b194f36697108287a9d5725333d4e21
SHA512 26023765c44a970b9dce20f7251ede55aae39c1e878d3a3f2903784faf63d709f1ffbc1e9b2670cf30fefc3b6212185f04f23439c7fd4c3bf59f1d25337e50fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 2b88025d74ee52b1ffc48261d720f883
SHA1 69ef971351d75c9554507b470bf3de68651933a9
SHA256 ed2ef92911eb712e58bf272e076c792a8a5afe77741e10a87ac47c5ffb0797fc
SHA512 8c2de832be23e7e09f2971bb3b2491b72e2c5f8933ec88fc3f68b7d7d7974f86a89dde03e1380014e00abb144f13d4e6bd0bcbce9bca6d9f0a30418a4de6aada

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 a1d5d0e9f455534ed2348b35ca4f92db
SHA1 fc07d7e3bc696144671fef405c635afc4a49e1bc
SHA256 7dd61ddfb5f76f9a32c10ebe97af6da0c1b5153e2a17d57ae1de4a00f8b2ccb1
SHA512 3a02e49686ee5da1914b923a9023b761acc63bdf2a155055244cbc60c1262475afada3a5efaee453041b7876c9501df51e2999bf6a394120e0c39967524c1f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 e96712ab482f09639dae11f46d40d82e
SHA1 fea3e9ece4a98c6b32ae7f8a151a81fcd5bf2678
SHA256 32e7774e6579a24b8f2b4dda6717a56ae5a49e35ccdfa313545d2d45d8dada40
SHA512 f824d5289b7ff2815ffb55e585d4fa2fcd989becd97dee201554eab52b1fda7a67144c90298f80d57f66ba55a6ae6bd5e548181dd8e5eec42860c30d6fd36723

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 e03ae7b2282b5df1ded3516e6f3dad1d
SHA1 8cd3eb994ef999e76b27df9a12712edab2672f4e
SHA256 54ce04ca5d8d3e7bdc7737b42d5a9cbfc09b316399395a022799140f1f9f40b0
SHA512 7c1ba2e4f6fd7b096a78785510a5433b3b5c85152811b321bf8e6afb06f00b800e1a9cf96554645e197c1919ac07114c879997bcfdc6f6b0b9b6717140e07788

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

MD5 6c847932d63660b0e0ad0b0a4b9780d2
SHA1 17139565a23b4a6cf1891296c8d1607ec7653a94
SHA256 ed60db47b383ab1f4f50b8542d22ce992c31f450ce9d33b946a84e0ebfd3cde4
SHA512 f8bb7521fb8f24dd12ef7e59731bb5e68cac0d75ad547216d97b6069e0ad48dc9a25c7917f760841df1604fbe43335ba039c299c3e2199eb6b1f8b53c4fd6b75

C:\Program Files\McAfee\Temp2402300030\installer.exe

MD5 7891a2a1d8a263db846292708a8ed1f0
SHA1 4044ea34ca9d112133e3aa5aed14a7c0ea952d36
SHA256 6bf9a3e9f2874cc5474dc107a90c0484cf26c9c817a2f23a7e004b4e611180c0
SHA512 00abdd3086e0528063216fbb44b9bbd18890b7629579361b54f751e8a22e0a3ee4f05a483ac4c3188ebb2c85c45f6a5922e7f1db3beb1ca0303c0fcf122a220d

C:\Users\Admin\AppData\Local\Temp\mwaD50E.tmp

MD5 662de59677aecac08c7f75f978c399da
SHA1 1f85d6be1fa846e4bc90f7a29540466cf3422d24
SHA256 1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb
SHA512 e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

memory/5048-418-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\browserhost.cab

MD5 41840bd10dda1409adf6d83175c0d981
SHA1 b363a2922f5d69e22641bdbc3d070de324ae2d1f
SHA256 a94ff5f7d7b84a416eca7f6f42d9bd012d1051b91dc574633429bce822f51c12
SHA512 8828623e4965c88ea631010f2ede2e1c42b26183a00e50f665c37fff930956a7b4089629e24a728210fe61389dcc109386629280c3a5457e6072fe7ccd3820c1

memory/5048-420-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\browserplugin.cab

MD5 253337eb5d13a9f79378de0904b0e448
SHA1 5dcf4b41d3ec3eda26e7e25c9221643b62468962
SHA256 05c9b53b895f9c79eb9e429f2bd11651a4b51018b9151fefe41d835212d515f5
SHA512 b7e2d2eb1dc29e1f5b87f73133ead258776aaf2ae21ba43d21d1fb91c61079cfd649be6c1aa2c2d9aa9982a1ba86978df18f677cec7b15919b1f2d44c888eef1

memory/5048-432-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\eventmanager.cab

MD5 cb3c3baf9d0f30958c3b9df32352a058
SHA1 ca427e00cdaa32f39fb4a6df8ba1aff5b8200f16
SHA256 054ef467f43e73d3c5687966e8a2be5fe41ed099875ba179ea6a446cb8b75ee9
SHA512 9567c4fc176e31a5ee06769f103c8d4d03ef6b873827b3efffc09c4329620c1d817ccf641004c419e4438f69820681b223a185ad415991be3af70d60f70ab3f2

C:\Program Files\McAfee\Temp2402300030\l10n.cab

MD5 fca9378018e30742bc2c1fdac03fad41
SHA1 46f9df6312920424d3f20914dab59874551f57ba
SHA256 df2a4c968dce5c9a03ce10e2d0ffa243fd20b94e0d1f60d49a2709353efc4a02
SHA512 0d39532169b19f240779129ecc49b4e582373350d51b73f3cfc91cf0b655f7845df48c57a219391926cd3105a5825f55a14db28c76be9ed9e8d9d4bfc5e54b78

memory/5048-437-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\logicscripts.cab

MD5 c1adad2f314d114594aead6816ea02bf
SHA1 be8e53c61500376514848d007115293c88ea9b6d
SHA256 f27e1c439d4c9ca4296b7c463ce76ea15870dbb8210c58ab4ca5f20d01112f7f
SHA512 b6b5f50b81c24d801205ae9234ba5ffccdf25fe6c557fe284c83d80c7d0eac9e4f6ce5d3b2804484626269166f418476433101ab916bbfdde6535cefb876caa0

memory/5048-469-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\mfw-mwb.cab

MD5 eeba6fe0bf59eea07384faea7b8b57e7
SHA1 8a7bc85e488c3063ad6fd644eaf66942d28be34a
SHA256 d2c592dcd51c0ccf979634bb969eda7b4b3d69d5e9b225fe15b5a0a9a8a0a45e
SHA512 8daba71ee57042972f796afecf3c7020020a4951bc1b9fd4c867935c6539bfd85e78c794e27e99912aff7d0d2d0ddb37e727de1955fd044dd36dc8b8364a9837

C:\Program Files\McAfee\Temp2402300030\mfw.cab

MD5 320a057206bdb5a7ce1a6cf9e7502557
SHA1 b851e2d941f013b74f64e50130481711460fd3a3
SHA256 9f5c0192d1e924a9e3ef4590ec4f2483bd59da98227bb24970180b000759055f
SHA512 1393d881255bd5c7562cbc956f112d2945af6fb53a3e80744f58702211df72cc549ff02d824de3f681f38b2dac45367db3f74d12b94328e4f7942d6c2b213bac

C:\Program Files\McAfee\Temp2402300030\settingmanager.cab

MD5 abdcda6e45d446e3fac2227f1086b7f2
SHA1 850a5bc7abf58be91a844ce0f4bd91a587978d2e
SHA256 eedb70f956d92e3e2d7512f59c8f00637ba8f6dbc38ce357fcce0043a262006b
SHA512 d64f13a94f874cb48c6dc6b2c9ab0308df81de1a4d647891961e17da7e5f9da6c2e24e8693307591f9a171c5789816aaaf73727398bde4773e6ee973323018d8

C:\Program Files\McAfee\Temp2402300030\taskmanager.cab

MD5 0894bdf9d21c032f464d71b1f5bd31ba
SHA1 0b60cc31217b1b24971eb39f67ba54291543fd69
SHA256 79bd696a281c3eeaf42e5373d46e9caa7993a0ca7d07bb6d9a6e034cd7f999cf
SHA512 e01a49270d2f272c0c984baf32b114a5d294ad463968fd821b82971075333937292c1026a61f135cd1eb851e2ec0d75e7766e2d61b613e40fe144ff7d2222764

C:\Program Files\McAfee\Temp2402300030\uihost.cab

MD5 d4b05b3d41b6349234b48e6c0a7ad2f8
SHA1 8d277c3eedf5a650a1ad25fc43609519aa0b773a
SHA256 93ba29bcf9b1d61cf1b8ac456141f3c2416506060741f3ee908de59451afc312
SHA512 028006c483c103ad2fad92f18fa3ce33b312380fb995d653b9a2d386d6a7b0cb42fbcc51cc8c1a600b7be227be3840ce5afb56c14679db09c27fe317c571df69

C:\Program Files\McAfee\Temp2402300030\uimanager.cab

MD5 d386a056952aa84bdc20fc2e73075102
SHA1 7ecd4accd817e47a6b84c7e6f48eaee11fade196
SHA256 73453d0b006e9bbf3c0d47da6740dd058d456e317e694f8c617ffa80874c7299
SHA512 9f066df00221376ef5e790eb2c3cff8e70aea16604e5ede23294d1624b2d2746dbc46ada26dd355b15e02cafd2a11cf26267050fe5ccea1ba6a118006fe1de22

C:\Program Files\McAfee\Temp2402300030\uninstaller.cab

MD5 9b05a0c33183b3074bf15eb3e4188a08
SHA1 be04bf97d0120a4da92cc41a8044865a1221faee
SHA256 1fb7abd4977a7dc6f43113b21a4022b1097475f65cadd6d179ef0368beb28487
SHA512 1fc8be40429ea83b3f6fcc8418237613bf2d53efb044a088255026f10b91a422d61b71d472a8b6e45fa5674b08d9036c82fa92277e9bd898cc1fad89f4bed1fd

C:\Program Files\McAfee\Temp2402300030\updater.cab

MD5 c4a33acb72e38f175643df1f4885fa08
SHA1 2f43ae32571b98209f06e477e241ace819e9a7c0
SHA256 b870afb0e5fac44d1ba71dbf40f47991f20b54f8926bd620b2dd2f44975e509e
SHA512 9488964b486546413019ea070a3d21aabd79e017c23942706c863a9a75b26e3417227e32a10a0e8c61bf3094b26e7a49dd7ed8b33b217a330b9210f3e1357e36

C:\Program Files\McAfee\Temp2402300030\webadvisor.cab

MD5 eb9dc6e92aaeb766ea0ddd6dc1675f18
SHA1 7ebb0b6a317cf2d3240094edf014aab8a5c71f9c
SHA256 a169c580b122ad54087903134984b54b6aa2deb76faf0f1534ff621ce7a8cc2f
SHA512 9f0e3d1c30ae3e5739c821730e5ba9deda71f425ae92b7a4ab00b29999db8d49dfb5d58ef4ed7b91ab8133ddd8fa2bcc709c8d5240c03cdee7a4c6ddf4b6cfec

memory/5048-532-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-643-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-641-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-637-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-636-0x00007FF64E350000-0x00007FF64E360000-memory.dmp

memory/5048-635-0x00007FF64E350000-0x00007FF64E360000-memory.dmp

memory/5048-632-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-628-0x00007FF64E350000-0x00007FF64E360000-memory.dmp

memory/5048-627-0x00007FF64E350000-0x00007FF64E360000-memory.dmp

memory/5048-618-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-611-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-609-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-607-0x00007FF64E350000-0x00007FF64E360000-memory.dmp

memory/5048-606-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-754-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-823-0x00007FF604910000-0x00007FF604920000-memory.dmp

memory/5048-816-0x00007FF604910000-0x00007FF604920000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll

MD5 6b8f4f525f49f76d673ddb7d8763b14d
SHA1 dc1110f8706baa9d3ebf25a503ec34442bcb5b1a
SHA256 caa333d19234f8ff90119ae0361aff6f01c74332851aae149f7f56f7c6b5a934
SHA512 d7a195eaa57f188565de096fff7c6e24535644fdd3ff0ea9a3b0b881e40d49a28b2ee30555b723d9714642331b309547fabdd13637f0d4889fde0a01774b69f3

memory/5048-795-0x00007FF604910000-0x00007FF604920000-memory.dmp

memory/5048-786-0x00007FF616010000-0x00007FF616020000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll

MD5 4ea91a66a588314d28db2bd84568aab9
SHA1 ffbeed2b347f56035a0eecf5bc03934d69d2ae13
SHA256 257a14d199f6cbfcadab22e20e0a45692f151be6d3385e2bc53b761197f8b3b2
SHA512 76cb2a00eb94cec292d25088ff9950a186cc73ec2c79e42294657c22cc7c31d866526d8a464c06bcaa4a102f9d914ab470c96e4545e70dbb76293ba50c7914a7

memory/5048-785-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-745-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-743-0x00007FF616010000-0x00007FF616020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\x64\Reason.ArchiveUtility-x64.dll

MD5 366231ab413d0ce3ad65b38b4ab3e4a6
SHA1 f52e1886563137a4124d3096d7ede5ce1cd1e578
SHA256 ed349b2e11a4c6ada76a72f2462e84551d5451088212a6e0d6fbf4904c8cc19d
SHA512 55b7e9ecab6893331f9cc045a4d60b971fb208ca6f2c12592de98f91389413f9bd5f50460f06507a9cff650b4cec73c61a633f30d1ba869b2ecc93c5a3aaaca6

memory/5048-740-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-731-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-728-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-716-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-713-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-707-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-701-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-696-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-604-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-601-0x00007FF64E350000-0x00007FF64E360000-memory.dmp

memory/5048-592-0x00007FF64E350000-0x00007FF64E360000-memory.dmp

memory/5048-571-0x00007FF64E350000-0x00007FF64E360000-memory.dmp

memory/5048-566-0x00007FF617E80000-0x00007FF617E90000-memory.dmp

memory/5048-548-0x00007FF617E80000-0x00007FF617E90000-memory.dmp

memory/5048-542-0x00007FF5EFAC0000-0x00007FF5EFAD0000-memory.dmp

memory/5048-512-0x00007FF616010000-0x00007FF616020000-memory.dmp

memory/5048-505-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-504-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-503-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-502-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-501-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-500-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-499-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-498-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-497-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-496-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\wssdep.cab

MD5 665c741b1f80de536088d951f0bc793c
SHA1 184f5a895a746de1a1c707cfb68d40745fef3f56
SHA256 abf588228567d558edc7adb950f5ac4067746564eacfaf6364611573bcad9909
SHA512 4929819e0d7b5ff9dc240e928c1cad96bc457d5f90c81949e6b481ab7ba3fc3e600c7a3e3b7bac435cba5626e336aeb03abe299efeb5c3c4c7fd3fc968ed3bde

memory/5048-506-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\wataskmanager.cab

MD5 ac05241d59f482ea308ee71758098453
SHA1 2203c08527c24f9c55e46ba700be1cf0383e741a
SHA256 d6b07588cc9f523f4fdb35b904a954ff594237f9330d68dbd7ea61751445464d
SHA512 4f1bda65555dbb4c4ece4c8e45c11de74267c373f92ff46811011894f72c72a3326e5ce96f90f39f4e94d9d9c89152e0ebeefb09539329d06b12e79f905b0bb3

memory/5048-489-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-487-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\telemetry.cab

MD5 656d5d8d3bccf3dddb443eeb6556dbe3
SHA1 b9c77ef1b9f64f2533086b9fc2024728b3e33034
SHA256 b09b64ea667d7638b054217d617dff83b3e2b0fec92271c4228df324124f4ef8
SHA512 6b2a29d66ec4663cdc14137a26c663a239fae440bd6a23f07d1e585fcfc4cfcbcdc8df08475edfcde012c808b67be70e30811b13bfcc0ee80b612fee3dfd38fa

memory/5048-485-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\servicehost.cab

MD5 c8a4a500b1930513d44af040a04c3931
SHA1 0cebba3d1012035c4799e97457c4e7a6f118d836
SHA256 a2ec67d5b61acf73159bacdbeb4bc95ffb5a51010ab5bfbffa8600da03180de0
SHA512 cbe176ee7968ea8d84792f0abe78b049f455902aba5a7c87d3ffff3cd679749d417084e27c88c1dc8de36791ac0ce3b09e0ae9818555e1d0d69deccfc58ac63c

C:\Program Files\McAfee\Temp2402300030\resourcedll.cab

MD5 05a260ee8a80494001fa1d4c7fa5a357
SHA1 029898a55602d45dc656d43585f05748f4a10e5e
SHA256 5e6b92af5b48255e96cdb4815204b597bcb01332da99f16a33239b30f9b9e2d9
SHA512 13adc543ed493498e1cf6d7087cec62e8dab689a9795101cf4df905dc6c3512effbb839e366c9abc1aadfebaff645cf31611e86f215e73d1fd6cb55178fb2d35

memory/5048-480-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-478-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-477-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\mfw-webadvisor.cab

MD5 0f79f075560c6c91116f4162c268ae54
SHA1 b03607d04958038477fd4dd5adb2a2dc0632d6ca
SHA256 f89ab4291eae4b52e1adfa639f1776fb95ed411257a67b274e1f727e859bbc5b
SHA512 f7966211c9e24eeb495a01d8185740a60634de0dfb19e1e5e78ab2c3184086ef256b68f3ca0eec7475302c13eaefe13aecd9d123fe5f3486661de3df51dadaa6

memory/5048-472-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\lookupmanager.cab

MD5 a447b6c857ae29a8b8f2e3bff007df6c
SHA1 f3d245b7ef702290c82f8b6c35ef973bcc2acc99
SHA256 55fb14f82bdb042f9a231dd069451112a2a792e711b96e593e264652c87e3b90
SHA512 458838d2f2f9f5f4145db622dc44694a05caec9fb9d61fc7b600f108dfa5b0343dbbd99dd0a92ba938819cf4c5eb641c939cf9616d69f8ee049b8ae750e51d46

C:\Program Files\McAfee\Temp2402300030\mfw-nps.cab

MD5 b9071741dd0de141bc57f3c43a911202
SHA1 9cef3cce37c8094a8609e39908fda7c8ade5b59b
SHA256 ec74a91cfb9d3ab75b0c33fd9f92140d00d2ff0a52d5080a6aa4dcef6834bfa4
SHA512 9e665f265f75e010ccfddb013c73e83b1d8b04eddfbc338deca8c982d5faaf4bbe2a9dc872e3d4739ec9ac29f0c74aa650effeea90d3967c8fb75d4c56032ccc

C:\Program Files\McAfee\Temp2402300030\logicmodule.cab

MD5 a56c6d0e52f42d6546dfc17d1b539294
SHA1 463071d9de6f6113d6d31890b50a49ca5af67354
SHA256 6c9941e674abe2cce976f8bb49d11235b1563281cba8736aed383f9b79eaabf3
SHA512 3f4a1211b17db79f276f9ae5ef9855f10780b2f8fce4d0308f672edd34399e6126e3f5694feb3c515d2d6afbd016830a987df28fc4390f5cfdb1d9d9b8e97e04

memory/5048-467-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-419-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

memory/5048-417-0x00007FF606F00000-0x00007FF606F10000-memory.dmp

C:\Program Files\McAfee\Temp2402300030\analyticstelemetry.cab

MD5 f9424b351f5fd545d96ccc3458777f3a
SHA1 fe13b0160e4cf4340952b4ce120ee4cc4ade29e4
SHA256 b7cbecfc093acfc824fbddac62e091b8bb04a1d0b59060e34cf715e1d93ae1c8
SHA512 dcc46a38db86aac6ba7e1083a7a5c0c9ff4aa91cfeee5c0a7ae6eb7f369521d8d575fa4261c3153a56777c851122139e781efff3ada9a1879450abd09702677a

C:\Program Files\McAfee\Temp2402300030\analyticsmanager.cab

MD5 5be9597eb624a4897d79402c4cd34b6b
SHA1 0998b43ef247820ddaf7655a3ee527a64b8b41fd
SHA256 4d2c613e6cdd7ac00025b5da1329d52d63628257ff44a1686ac230f25cac2862
SHA512 524937dc6ccfa241f96dcd7c9e9df0be6d8faa680d4b641b8a49cc687884b7e5b3a6939e516e3486c89a3a706f0ff5318581eb05edcf84b8740ff64baf110b39

C:\Program Files\McAfee\WebAdvisor\servicehost.exe

MD5 ad677f565503dc0f594c523e21c7c786
SHA1 4552aab5de1b677ce9c22b686daefbb1467a2724
SHA256 417bb7d1796f87f4c281097ea2c6e3af5eefa42f951375edaab7056249500e11
SHA512 0dbeb28011aba75b2262826ecb39cd597740aed7d0b0ba24643eedc56d593f9437355f0a953c40e0adfcc2dd16b1e770d1cebc3221c7fe438f6cfc14fca107bf

C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

MD5 bd4e67c9b81a9b805890c6e8537b9118
SHA1 f471d69f9f5fbfb23ff7d3c38b5c5d5e5c5acf27
SHA256 916f5e284237a9604115709a6274d54cb924b912b365c84322171872502d4bf8
SHA512 92e1d4a8a93f0bf68fc17288cd1547b2bb9131b8378fbd1ed67a54963a8974717f772e722477417f4eb6c6bb0b3dfba4e7847b20655c3d451cba04f6134c3ab5

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 2fbbe397f05533da1826f7ebb18cf754
SHA1 453efac6ee7f1a8f3108d7723c979e2495107067
SHA256 47dbed239e60e31607e4103600df0c5ed81d15b90ffde1fc1f74b192e9d89bcd
SHA512 60992255daa291146a68da1c2b636c35879e2340820188bbf4de291e001278310f4c24c428db06eb7a41d7e6935f55f64dd0005ddd8e7c53d9b33c6d04d494ea

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 6207cf78b12c384794f45e2655a86a36
SHA1 291904efcd0b5ace629fbd4b615a77a07189b3e6
SHA256 c5de7200bd03cac6653043a048a33c096dc28db2e1fbada37e90538dcd2ea9d2
SHA512 937857caec376a544f7cdb44adbb6913fcdfc5f18085101263983a6bc73256f263127f4a900b97743e65136eea061ec18bd56ee70f01f7940b23e21c2d0f9d9f

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 0509ba13dde6a0fd7f97e492a32ef3a0
SHA1 004930bdcf8ae1f546d58f714f2695f1ea2e854b
SHA256 05a45fe2a5e1e254842c831657b8076faa91f184ce3364b62a9f9215a6c2c859
SHA512 d5b83437e434349a2a770736b7c4cf9c245a3c9e87eb552facc543356f8fea0abecb78a20fce92446afb81bf8523c52ef6520cb9108bf27f83dcba6706eddf3a

C:\Program Files\ReasonLabs\EPP\mc.dll

MD5 81fcc6ce49ea658cba52e24ce4261023
SHA1 5f9d5118b94a11de500715df015a377b645e88a6
SHA256 a2ad3c285d0cd5ff190edc42286f3bb695310d35e134daa38a2425a71da69dde
SHA512 04e8051034887ebb82e2f735cb87132c266f44416ff751dc0a2a3f592e8e6b83ad2f29a1a656ec07bf0168bcafddfade5acbbc562fb5439b9ab8377298743a83

memory/4608-2630-0x0000025E688A0000-0x0000025E688F0000-memory.dmp

C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

MD5 fcb11ae023b02f3f3afe68cbdecd0f32
SHA1 486865ebebdeae59c036ffea5fc613d079b05f08
SHA256 ab30752603586c284823d22862ff10497064bafdae240083aea6d58155829866
SHA512 a227f54026f76d536223f9e692251c0683dfcdb0ca3fcdc3ee87fa26bf2dc402fc4bbe94238bade5d23ac5118652ddfcbf299b158d878a6c42ca0abd1717e333

C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

MD5 f451cef44d1ad7d9b9531ec6c72b159e
SHA1 88ab6f826648a378cacd5c5497369fd2a69a2f59
SHA256 776e53005c0bfa5ee7e4116809b83dfa249e14c4f12d63c3002bc8cf2c2492a7
SHA512 c31f07c49c1d333fe4646e8a52cc0061cd6c0a1d976a9df2bbb6539036f3cea0fbbe5a70025ee01605549224ff5658fd604b68b8a413344d7d0b2008202c61a3

C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

MD5 c34b17bc8f78195442812b5c4ff1da59
SHA1 9109d30aeed4439b3fc7811946e1431915fd8fcf
SHA256 b97eb6954110c26b7f4a8a8e2ebc27dfae706f8f71518a1d01d8747ecb4fd074
SHA512 7212e36edc49aeb692612c847b69ddf594991b8ad94e3f05be227a55edcc8300f9eec6959871ebe3f8d82f8f8b97aa7ae591287bf7cc34a3d2a26680e5099b44

memory/4608-2662-0x0000025E68A90000-0x0000025E68AE6000-memory.dmp

memory/4608-4296-0x0000025E68AF0000-0x0000025E68B2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\618ea139-8b86-425a-abc4-1dfa5b93a59d\UnifiedStub-installer.exe\assembly\dl3\b2402bf6\e3091e10_33edda01\rsJSON.DLL

MD5 1b899a7e7cb09e57e9124d238ee09252
SHA1 278579155f59f8647a873541aa0e596f2077c060
SHA256 15e065330e041de31cb37f9973d21b7cee45687719d9737bb41dd441a66cd50d
SHA512 95b6696e1494428c22bb2a1eaa896b60e7aa8f23c1d6b44796381d8177bc2293e7fcaa47109954f9c01946ebacc15ef4b5807dece2ec5a4bbee3b1023633a8de

memory/4608-4307-0x0000025E689F0000-0x0000025E68A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\618ea139-8b86-425a-abc4-1dfa5b93a59d\UnifiedStub-installer.exe\assembly\dl3\65146de7\e3091e10_33edda01\rsLogger.DLL

MD5 f35df6651eb38de67d1e8d5c47fde178
SHA1 a52f3266a702afacd3d017ce5728b0484aa3a392
SHA256 548317de73925ff05f6fbe7b22c5b97c6c4be33826f365eeb327b5ec9a3b0c8e
SHA512 f3fac6d81a26d0ab1664e81c027472fe3c4517e876d00cc643eab1c2d01e98906dfff351fd94b29f6a5a115ddfe08b81e696d8626d90379a15930faa953b3b80

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\618ea139-8b86-425a-abc4-1dfa5b93a59d\UnifiedStub-installer.exe\assembly\dl3\e3909e7f\b1441910_33edda01\rsAtom.DLL

MD5 50aa2656c227001784142fece1575ffe
SHA1 ff1d971b757048734af907643988e7a0456c3768
SHA256 144079dd0161a81eca70935969b580f4f3d3f401f819b2bf9cb0be36aa4324e3
SHA512 c53951a8c08485f9c06529014310cf7895bc523e811a3f3614d39b4a95b56f8f5fa045151e71223aee878cbb7cf209623518012571f8e6a742714878d828d87d

memory/4608-4344-0x0000025E689F0000-0x0000025E68A1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8ED9EDF8\618ea139-8b86-425a-abc4-1dfa5b93a59d\UnifiedStub-installer.exe\assembly\dl3\482615aa\e3091e10_33edda01\rsServiceController.DLL

MD5 d8a2f9ca19b471d0c78dd6cc874cd46d
SHA1 701ff0a5cfd6bd74f44cf9d6c6e67c2231ca6134
SHA256 9eb05801276f62f5497b5136317c2301fe619a77176f96f417c91fbdd26c500d
SHA512 752c50b02d54dcc8f2a85de73176574919989d1c9596de5570559f6c70ad09dc183e45c6a3d62413bccc170206f77ab1018cf470fdad21023a5a70a972f7f2ee

memory/4608-4386-0x0000025E68BA0000-0x0000025E68BD0000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsEngine.config

MD5 eb3bcd3a0848530646609a1c1085c46b
SHA1 f4cda2a9fa5d41cd1b7564bf23806d6c4a77eb09
SHA256 30f51499302effdd182ce651a294c186a04bdf516865ec12352af60c2d2ffbdf
SHA512 a0ba8c7b9864ca342930b817b37983270e5816a16097d1ddd1fbf38ca339db4c8d59d9fa71947bb83cfb4fcfe5a0cdc982a9b85adb1c91a2bff805f687f7a692

C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys

MD5 8129c96d6ebdaebbe771ee034555bf8f
SHA1 9b41fb541a273086d3eef0ba4149f88022efbaff
SHA256 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51
SHA512 ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

memory/5988-4482-0x0000020C1E6E0000-0x0000020C1E70E000-memory.dmp

memory/5988-4483-0x0000020C1E6E0000-0x0000020C1E70E000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 1264314190d1e81276dde796c5a3537c
SHA1 ab1c69efd9358b161ec31d7701d26c39ee708d57
SHA256 8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5
SHA512 a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9

memory/5988-4496-0x0000020C20330000-0x0000020C20342000-memory.dmp

memory/5988-4497-0x0000020C38B90000-0x0000020C38BCC000-memory.dmp

C:\Windows\Logs\DISM\dism.log

MD5 7063948724d85fb6fb41044c8e7c48a7
SHA1 dece13f58b99dba82ce52e3ade697be89dcf0e2e
SHA256 a9a6f9dd1347a399a89a67fccd8c3b5766faaa41dd7680b99911f61d78e1e9bf
SHA512 785015374c36a9e9e2473859ae77df9a6816aa56a7e9aeda2c8fdfbf3be87f9898edc3367d73a8438a703c640c8441b13af3bfa48fd718dd73e158511fce3097

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 43fbbd79c6a85b1dfb782c199ff1f0e7
SHA1 cad46a3de56cd064e32b79c07ced5abec6bc1543
SHA256 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0
SHA512 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog

MD5 8a0b93abf7961a386f153a4165e099f1
SHA1 388165bcf6100b6a6c69cc51693716116e4c4896
SHA256 e1eee4a919996c03ff2a0f0a3617e48bbcdf3c41c9535466de7a02fcdcae680a
SHA512 36972b5ffdde91754c3d2a336856f9bbe9f5bc7fded2420ae8f1ba66df905b0e189327eecc6eff9deb3df29c288dfb60aa16c8f9dbe501e449b92a67aaf5edac

memory/6420-4601-0x00000270753A0000-0x0000027075706000-memory.dmp

memory/6420-4604-0x0000027074760000-0x0000027074782000-memory.dmp

memory/6420-4603-0x00000270746F0000-0x000002707470A000-memory.dmp

memory/6420-4602-0x00000270751C0000-0x000002707533C000-memory.dmp

memory/6024-4774-0x0000000002B30000-0x0000000002B66000-memory.dmp

memory/6024-4775-0x00000000055D0000-0x0000000005BFA000-memory.dmp

memory/6024-4776-0x0000000005490000-0x00000000054B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffwy1c0e.rs2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/6024-4785-0x0000000005E50000-0x00000000061A7000-memory.dmp

memory/6024-4786-0x0000000006320000-0x000000000633E000-memory.dmp

memory/6024-4787-0x0000000006360000-0x00000000063AC000-memory.dmp

memory/6024-4789-0x000000006EFA0000-0x000000006EFEC000-memory.dmp

memory/6024-4788-0x0000000006900000-0x0000000006934000-memory.dmp

memory/6024-4798-0x0000000007310000-0x000000000732E000-memory.dmp

memory/6024-4799-0x0000000007340000-0x00000000073E4000-memory.dmp

memory/6024-4800-0x0000000007CB0000-0x000000000832A000-memory.dmp

memory/6024-4801-0x00000000076F0000-0x00000000076FA000-memory.dmp

memory/6024-4802-0x0000000007900000-0x0000000007996000-memory.dmp

memory/6024-4803-0x0000000007880000-0x0000000007891000-memory.dmp

memory/6024-4804-0x00000000078C0000-0x00000000078CE000-memory.dmp

memory/6024-4805-0x00000000079A0000-0x00000000079BA000-memory.dmp

memory/6228-4816-0x000000006EFA0000-0x000000006EFEC000-memory.dmp

memory/6936-4834-0x000000006EFA0000-0x000000006EFEC000-memory.dmp

C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf

MD5 4acd5f0e312730f1d8b8805f3699c184
SHA1 67c957e102bf2b2a86c5708257bc32f91c006739
SHA256 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA512 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

MD5 0054560df6c69d2067689433172088ef
SHA1 a30042b77ebd7c704be0e986349030bcdb82857d
SHA256 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

MD5 4ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA1 52693d4b5e0b55a929099b680348c3932f2c3c62
SHA256 b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA512 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp120.dll

MD5 50260b0f19aaa7e37c4082fecef8ff41
SHA1 ce672489b29baa7119881497ed5044b21ad8fe30
SHA256 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA512 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

MD5 3e29914113ec4b968ba5eb1f6d194a0a
SHA1 557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256 c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA512 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

MD5 e8fd6da54f056363b284608c3f6a832e
SHA1 32e88b82fd398568517ab03b33e9765b59c4946d
SHA256 b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd
SHA512 4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

MD5 52c43baddd43be63fbfb398722f3b01d
SHA1 be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA256 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA512 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

MD5 ba46e6e1c5861617b4d97de00149b905
SHA1 4affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA256 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512 bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

MD5 2d40f6c6a4f88c8c2685ee25b53ec00d
SHA1 faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA256 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA512 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

MD5 01c4246df55a5fff93d086bb56110d2b
SHA1 e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256 c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA512 39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

MD5 66df6f7b7a98ff750aade522c22d239a
SHA1 f69464fe18ed03de597bb46482ae899f43c94617
SHA256 91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f
SHA512 48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

MD5 ad9d7cbdb4b19fb65960d69126e3ff68
SHA1 dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256 a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512 f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr120.dll

MD5 50097ec217ce0ebb9b4caa09cd2cd73a
SHA1 8cd3018c4170072464fbcd7cba563df1fc2b884c
SHA256 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512 ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

C:\LDPlayer\LDPlayer9\dnplayer.exe

MD5 6fe5ee1daf303963482ffc414b1f4aed
SHA1 076ebaeeb02853d96e20085fbedaf7e61f3a60d3
SHA256 2685e5c1aa3cdead02024f21abadb413c6dc130946f7b44ca01b0cea64bdd2ae
SHA512 8bc6758c95a53ebcd6b6fd27bdd3165f91bcd8f370d677afb7d599865b57ecad274eb21502235eeb64ad2624046cafa9f14576221b1503e333815df5a6dfe134

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

MD5 77138e2662cdeffd61cf6210ae3fb8ca
SHA1 a085b99630efc74cedd0be9a0eeb57eff7b3850f
SHA256 68c83685da55573ae966db3113ee513dd76ba489024373968e527bd44d814724
SHA512 a4621910aa3ae4b5dfa558e69d0270717341467cf067d9397e2bbf118f789c87eef8750ecb25ffd9c60f51f35ceb40b211ce9a738116c4dfc06e543ac90d1bcc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5578283903c07cc737a43625e2cbb093
SHA1 f438ad2bef7125e928fcde43082a20457f5df159
SHA256 7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2
SHA512 3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

MD5 b2e3ba2084f827f2e46a917983363f0b
SHA1 41fd27f8688b7a755abc0acc72a2a6a0e1045c78
SHA256 7daa3d35584a7e87c3e8e3afeb436d088209966471d6c766328087823f1f3e73
SHA512 4aea989bda6efc91836264f04f23fb3760764e3ef7809f618ad949c2e64b5a167fe5d054607535ec22fea4942d9ddc5ea7f70a1f529ee23633c1cd275d90e508

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0487ced0fdfd8d7a8e717211fcd7d709
SHA1 598605311b8ef24b0a2ba2ccfedeecabe7fec901
SHA256 76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571
SHA512 16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 4f4f31eb119ba7ca59faa37ef7367158
SHA1 9152e8de366e100d9a6abe494d2ed64c2fdfef11
SHA256 30f52821a7352bf3ef9341b44c16d35d0dc7ff46cc02ce6eec0b1f97ac1635f8
SHA512 a52a6b2df20c8de436d9c56b1ba9271237d59908104c66e2f46f6c10965aec6d8af82f09799d49289d0bc314d1fed0bffb0afce6174abb013e5b47b2d8dcb8bf

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 3f00a28492f7d2dcfa6d54b1b2fb8e6e
SHA1 1b3ac56d636972068e78621c676d64b29fcfc4d1
SHA256 a01e6452c1a4bbd01467ad895e273547d9d77df37c79e6e36ec94dd91182cd83
SHA512 a2f773baa8c5deea379e7eb0c6e6fbf7ca34bc0cc12d7c906d9630baa26cea318407fcbbb1ce06197bebd86af65627b311423e4862989cdf0635b8850255c79a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6efbf542c904bb8895057fa6d30134cd
SHA1 23340f12c1e74c88f437f425de9b851f1f72f2cd
SHA256 e831eff3635f19dcebc734e95900691b23e5ffd167dd2bdb3536d4586d7cd545
SHA512 35639b735011b45e348e98bcd89c49fada3cd0bccee1ba5de87abad3eda57517b00f3db26170ecc8a09257908780c7bbc5811469e7a77a5eaa39ef8cfe35607e

C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

MD5 4d592fd525e977bf3d832cdb1482faa0
SHA1 131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef
SHA256 f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6
SHA512 afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

memory/2788-5020-0x0000000073290000-0x0000000073A41000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dfbd9568ac569acb81d93f3b0fc16ce8
SHA1 0fa46110fc2d5bca39a1baf507652599c3d3cd46
SHA256 d5d718b0f4018d75b14626206e0c7bd53bb7a99a2a94353f3f5df2a67dabf5d3
SHA512 6d82278d1da700a417bf50158b0748006e7520f96eaca96133758041332b5f9ff99cd313f6428155b57c19a85299e6d9eece498a2ff4495fdb211342d8aaf586

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3a52417db83ec9366047505aa0541a30
SHA1 e4f17368183c6d9d26755c759f43f7c099c4fe04
SHA256 22770965a62f79528a9e38f78d1d5f78a344d240ea39ea25b3d5dbb0897a4080
SHA512 36e25ef758d3bb70600f621ad7a52628df000204438b6816295e55b9804eb85cf158c360dfea08db1e15254067b0308bce9f59c611811749e0c15f96c2781713

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b638e3ebf8f68ef6e00265def21b3cfc
SHA1 1c7449bfffaa625dcff03bf79b3faf11f04da380
SHA256 f2d0661f373caf3cd9457cfb3bdddd9ff3e59624b0c7d11336f714ce321621f0
SHA512 0c728a71b172375e0ecc4d3cfb61c5dccd871d33243a7210ad1b332138ae72465f1b68dda4148d5ce08e36e52462871c4c34ec4233656887bfd64212ac61f6dc