cobaltstrike | f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 15:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_es_1009_ld.exe
Size

3.4MB
MD5

d3f42950472326bca3051521650155bd
SHA1

97f81696dd2b9f0289c6a6002017007ab2a7b463
SHA256

f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a
SHA512

45d9e6d7bfaf0f234034b0c78c8e0301e95f3b0d05f189ca29080100a8fadca78ca3a784183a1116a6655cca839f8890f702c2d5b2090e028503ff2a67ec44e3
SSDEEP

49152:T1Be0WwNjL2UmeJJY1pHtOUYqP3CFOrtG/tTR9sXafgkDFMVR9C1UhPJXMK701hX:Tze0/jL2Umec1t0xOoVMBiCV2HkK

Score

10^/10

cobaltstrike backdoor discovery execution exploit persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023507-5674.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0009000000023508-5677.dat	disable_win_def

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\FuncName = "WVTAsn1CatNameValueEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\FuncName = "FormatVerisignExtension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Decode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLREMOVESIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\FuncName = "EncodeRecipientID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Encode"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
10200	icacls.exe
6352	takeown.exe
412	icacls.exe
6128	takeown.exe
3380	icacls.exe
10128	takeown.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
10128	takeown.exe
10200	icacls.exe
6352	takeown.exe
412	icacls.exe
6128	takeown.exe
3380	icacls.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
212	discord.com
213	discord.com
219	discord.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023507-5674.dat	autoit_exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	rsStubActivator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	UIHost.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\Temp2811346018\progress_check.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\productupselltoast.js	installer.exe
File created	C:\Program Files\McAfee\Temp2811346018\logicscripts.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2811346018\poppins-light.ttf	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\settingsdblookup.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_install_close2.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-sstoast-toggle-rebranding-step1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\checklisthandler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ui-options.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\edge_onboarding.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\lastoemcheck.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\download_scan_ui.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ss-toast-rebranding-bing.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\dailyping.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2811346018\analyticstelemetry.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\nps\info-16.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\edge_search\edge_search_events.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\rules.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ss-toast-rebranding.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\wa-ui-dialog.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\priorityqueue.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\eventformatter.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2811346018\jslang\wa-res-shared-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\secure_search_toast.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\dimensionconfig.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\analyticseventhandler.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2811346018\jslang\eula-it-IT.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\uiarbitratorhelper.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\white_exclamation.gif	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_search\edge_search_ext_coachmark.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wsssetting.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\csp_client.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ss-toast-rebranding.js	installer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Executes dropped EXE 14 IoCs

pid	Process
1680	rsStubActivator.exe
1060	saBSI.exe
4444	wt0f5hv0.exe
2556	UnifiedStub-installer.exe
4932	rsSyncSvc.exe
2380	rsSyncSvc.exe
2348	installer.exe
2564	installer.exe
4796	LDPlayer.exe
6604	ServiceHost.exe
5232	UIHost.exe
5596	dnrepairer.exe
6400	dismhost.exe
6724	updater.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6292	sc.exe
1484	sc.exe
5352	sc.exe
5444	sc.exe
9228	sc.exe
9612	sc.exe
9872	sc.exe
6128	sc.exe

Loads dropped DLL 35 IoCs

pid	Process
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
2564	installer.exe
4380	regsvr32.exe
5396	regsvr32.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
5232	UIHost.exe
5232	UIHost.exe
5596	dnrepairer.exe
5596	dnrepairer.exe
5596	dnrepairer.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe
6400	dismhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_es_1009_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wt0f5hv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saBSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3008	taskkill.exe
232	taskkill.exe
2120	taskkill.exe
1416	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ServiceHost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
1060	saBSI.exe
1060	saBSI.exe
1060	saBSI.exe
1060	saBSI.exe
1060	saBSI.exe
1060	saBSI.exe
1060	saBSI.exe
1060	saBSI.exe
1060	saBSI.exe
1060	saBSI.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
3628	LDPlayer9_es_1009_ld.exe
2556	UnifiedStub-installer.exe
2556	UnifiedStub-installer.exe
4796	LDPlayer.exe
4796	LDPlayer.exe
4796	LDPlayer.exe
4796	LDPlayer.exe
4796	LDPlayer.exe
4796	LDPlayer.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe
6604	ServiceHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	LDPlayer9_es_1009_ld.exe
Token: SeShutdownPrivilege	3628	LDPlayer9_es_1009_ld.exe
Token: SeCreatePagefilePrivilege	3628	LDPlayer9_es_1009_ld.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	1680	rsStubActivator.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	2556	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	2556	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	2556	UnifiedStub-installer.exe
Token: SeTakeOwnershipPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe
Token: SeDebugPrivilege	4796	LDPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3008	3628	LDPlayer9_es_1009_ld.exe	101
PID 3628 wrote to memory of 3008	3628	LDPlayer9_es_1009_ld.exe	101
PID 3628 wrote to memory of 3008	3628	LDPlayer9_es_1009_ld.exe	101
PID 3628 wrote to memory of 232	3628	LDPlayer9_es_1009_ld.exe	103
PID 3628 wrote to memory of 232	3628	LDPlayer9_es_1009_ld.exe	103
PID 3628 wrote to memory of 232	3628	LDPlayer9_es_1009_ld.exe	103
PID 3628 wrote to memory of 2120	3628	LDPlayer9_es_1009_ld.exe	106
PID 3628 wrote to memory of 2120	3628	LDPlayer9_es_1009_ld.exe	106
PID 3628 wrote to memory of 2120	3628	LDPlayer9_es_1009_ld.exe	106
PID 3628 wrote to memory of 1416	3628	LDPlayer9_es_1009_ld.exe	108
PID 3628 wrote to memory of 1416	3628	LDPlayer9_es_1009_ld.exe	108
PID 3628 wrote to memory of 1416	3628	LDPlayer9_es_1009_ld.exe	108
PID 1680 wrote to memory of 4444	1680	rsStubActivator.exe	112
PID 1680 wrote to memory of 4444	1680	rsStubActivator.exe	112
PID 1680 wrote to memory of 4444	1680	rsStubActivator.exe	112
PID 4444 wrote to memory of 2556	4444	wt0f5hv0.exe	113
PID 4444 wrote to memory of 2556	4444	wt0f5hv0.exe	113
PID 2556 wrote to memory of 4932	2556	UnifiedStub-installer.exe	114
PID 2556 wrote to memory of 4932	2556	UnifiedStub-installer.exe	114
PID 1060 wrote to memory of 2348	1060	saBSI.exe	117
PID 1060 wrote to memory of 2348	1060	saBSI.exe	117
PID 2348 wrote to memory of 2564	2348	installer.exe	118
PID 2348 wrote to memory of 2564	2348	installer.exe	118
PID 3628 wrote to memory of 4796	3628	LDPlayer9_es_1009_ld.exe	111
PID 3628 wrote to memory of 4796	3628	LDPlayer9_es_1009_ld.exe	111
PID 3628 wrote to memory of 4796	3628	LDPlayer9_es_1009_ld.exe	111
PID 2564 wrote to memory of 2768	2564	installer.exe	119
PID 2564 wrote to memory of 2768	2564	installer.exe	119
PID 2768 wrote to memory of 4380	2768	regsvr32.exe	120
PID 2768 wrote to memory of 4380	2768	regsvr32.exe	120
PID 2768 wrote to memory of 4380	2768	regsvr32.exe	120
PID 2564 wrote to memory of 5396	2564	installer.exe	121
PID 2564 wrote to memory of 5396	2564	installer.exe	121
PID 6604 wrote to memory of 5232	6604	ServiceHost.exe	123
PID 6604 wrote to memory of 5232	6604	ServiceHost.exe	123
PID 4796 wrote to memory of 5596	4796	LDPlayer.exe	124
PID 4796 wrote to memory of 5596	4796	LDPlayer.exe	124
PID 4796 wrote to memory of 5596	4796	LDPlayer.exe	124
PID 5596 wrote to memory of 5708	5596	dnrepairer.exe	125
PID 5596 wrote to memory of 5708	5596	dnrepairer.exe	125
PID 5596 wrote to memory of 5708	5596	dnrepairer.exe	125
PID 5708 wrote to memory of 948	5708	net.exe	127
PID 5708 wrote to memory of 948	5708	net.exe	127
PID 5708 wrote to memory of 948	5708	net.exe	127
PID 5596 wrote to memory of 6000	5596	dnrepairer.exe	128
PID 5596 wrote to memory of 6000	5596	dnrepairer.exe	128
PID 5596 wrote to memory of 6000	5596	dnrepairer.exe	128
PID 5596 wrote to memory of 5932	5596	dnrepairer.exe	129
PID 5596 wrote to memory of 5932	5596	dnrepairer.exe	129
PID 5596 wrote to memory of 5932	5596	dnrepairer.exe	129
PID 5596 wrote to memory of 5960	5596	dnrepairer.exe	130
PID 5596 wrote to memory of 5960	5596	dnrepairer.exe	130
PID 5596 wrote to memory of 5960	5596	dnrepairer.exe	130
PID 5596 wrote to memory of 5980	5596	dnrepairer.exe	131
PID 5596 wrote to memory of 5980	5596	dnrepairer.exe	131
PID 5596 wrote to memory of 5980	5596	dnrepairer.exe	131
PID 5596 wrote to memory of 5996	5596	dnrepairer.exe	132
PID 5596 wrote to memory of 5996	5596	dnrepairer.exe	132
PID 5596 wrote to memory of 5996	5596	dnrepairer.exe	132
PID 5596 wrote to memory of 6052	5596	dnrepairer.exe	133
PID 5596 wrote to memory of 6052	5596	dnrepairer.exe	133
PID 5596 wrote to memory of 6052	5596	dnrepairer.exe	133
PID 5596 wrote to memory of 6088	5596	dnrepairer.exe	134
PID 5596 wrote to memory of 6088	5596	dnrepairer.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnplayer.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayer.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayerex.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM bugreport.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1009 -language=es -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=852068
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5596
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5708
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:948
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:6000
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:5932
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:5960
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:5980
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:5996
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:6052
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:6088
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:6352
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:412
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:6128
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3380
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2972
    - - C:\Users\Admin\AppData\Local\Temp\17487B18-7E65-4258-A40C-4FDC7932907F\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\17487B18-7E65-4258-A40C-4FDC7932907F\dismhost.exe {6C930BC2-D6F2-4576-A3F9-0690F2E1A705}
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6400
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      PID:6128
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      PID:6292
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      PID:1484
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      PID:1624
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      PID:6044
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      PID:6104
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      PID:5744
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      PID:7144
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:5352
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      PID:5444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:3680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:6468
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:5348
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    PID:9880
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:10128
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:10200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/ykt8hgSabz
  2⤵
  PID:9168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff8eb6b46f8,0x7ff8eb6b4708,0x7ff8eb6b4718
    3⤵
    PID:5300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12615692292793160482,9852619517086739027,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:9712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12615692292793160482,9852619517086739027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    PID:9720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12615692292793160482,9852619517086739027,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
    3⤵
    PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12615692292793160482,9852619517086739027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:10188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12615692292793160482,9852619517086739027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:10196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12615692292793160482,9852619517086739027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
    3⤵
    PID:6152
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\\dnplayer.exe"
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    PID:9228
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    PID:9612
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    PID:9872
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    PID:5368

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=303dffb23ae308072ce30f1aaa2e9682594b9f86&dit=20240928155682940&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\wt0f5hv0.exe
  "C:\Users\Admin\AppData\Local\Temp\wt0f5hv0.exe" /silent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\UnifiedStub-installer.exe
    .\UnifiedStub-installer.exe /silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
      "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
      4⤵
      Executes dropped EXE
      PID:4932
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
      4⤵
      PID:9776
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        
        PID:9792
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:9840
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
      4⤵
      PID:7464
  - - C:\Windows\SYSTEM32\fltmc.exe
      "fltmc.exe" load rsKernelEngine
      4⤵
      PID:7556
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
      4⤵
      PID:7616
  - - C:\Program Files\ReasonLabs\EPP\rsWSC.exe
      "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
      4⤵
      PID:7668
  - - C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
      "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
      4⤵
      PID:8108
  - - C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
      "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
      4⤵
      PID:8180
  - - C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
      "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
      4⤵
      PID:5452

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Program Files\McAfee\Temp2811346018\installer.exe
    "C:\Program Files\McAfee\Temp2811346018\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
  - - C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:5396

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:2380

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6604
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5232
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:6724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
    3⤵
    PID:5128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
    3⤵
    PID:5516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:5532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:7104

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:7952

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
PID:8156

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
PID:5464
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  PID:8692
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  PID:8756
- - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    PID:8848
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1724,i,12526413088614450442,13676694496587823996,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:2
      4⤵
      PID:6084
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --field-trial-handle=2220,i,12526413088614450442,13676694496587823996,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
      4⤵
      PID:5628
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2344,i,12526413088614450442,13676694496587823996,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:1
      4⤵
      PID:7188
- C:\program files\reasonlabs\epp\rsLitmus.A.exe
  "C:\program files\reasonlabs\epp\rsLitmus.A.exe"
  2⤵
  PID:5024

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
PID:6372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x468
1⤵
PID:9240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9584

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
PID:9972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
d079f4f02596473852b6875e74f4035b

SHA1
17c4df4c9202bf9046c3e1b7d3d06e6ec06873fb

SHA256
3cbc7746de86b79b83432199755a9400506c92562944d1a04d3db0878cc76c8a

SHA512
764a3f72d3397e916fe54d1bb6a32e81609e104d36cb5a3bbd3037af1435441a1692a468e461ed40944279b7b0a5664e6b70e9e9c8f7f3e5d950fa0df96bde0e

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.7MB

MD5
ac43f5c04b6f45df325709a1fa8590b9

SHA1
7542a4cf17c4b7a24a539339e414e0d5cbfc0005

SHA256
8c159037a007c8430e8f4acc5f3e143191e96adc596549aedf4e61d8973f694c

SHA512
596a97738ed3b05f683afe7724f02efd0e4767d09d006755b27adce7db48aae8cd83f0db5c472991ff7f8603e8d9e0f99149a17b67570d1e36ee591cc1d399d0

Download Submit
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\Program Files\McAfee\Temp2811346018\analyticsmanager.cab

Filesize
1.8MB

MD5
948d496f4ad6e8b149db6056be02c8f7

SHA1
8e2aeec2e560e44fbe3c8364ed397982f8155c4c

SHA256
c52816565ae77cd08e0525b702379caf97e2436ed7efbd7411057b38741e52c4

SHA512
72947258a90fc7f82330abdef5586f77b8c7a0408cab349e19ee49102e7e80eec1526961925dec18af7b97490b19d9c88167915c10d4ce815e0322640d177f41

Download Submit
C:\Program Files\McAfee\Temp2811346018\analyticstelemetry.cab

Filesize
48KB

MD5
f580c51c1cb2e8337a2985310dd2fcbf

SHA1
b16d9c5235a3fcfb49a7a629b5a5b6aa481420bb

SHA256
cc03ec78334232f8204e62f73a9c547bf97ca205f2588d19be260a3ac742b2ad

SHA512
cacdb1927e150da7d66c4a0a02d165536c21b45f15f138a82036e9c399d9a534d1a9f9be87d70489757d5905d92152003fdd6b0273d1200d7158b66f1454862d

Download Submit
C:\Program Files\McAfee\Temp2811346018\browserhost.cab

Filesize
1.3MB

MD5
e9383df7daf869a69eee9ff7ec07989b

SHA1
0196df29cbdd819ac16df198396e08f92932c70c

SHA256
5487bab12503446edc939ed5b2928ef5e5237a987cfe2fbdcabe8d41ed7a956b

SHA512
f1cf7bb7d134e5f469a97b785e3b2179dae6b76e60adacfe86b5c8581b8330e615faac0c045c70e8d94238449997ded15f2e50d90e22a9c7fc2b3266170760ba

Download Submit
C:\Program Files\McAfee\Temp2811346018\browserplugin.cab

Filesize
4.8MB

MD5
5a0b1351afb4c6e82e1e2fdb040cfb40

SHA1
25f8de6c83a40daa388bd28d4f2de1080293e816

SHA256
b121285658ee1230f975dc834dcb5dfb1d9a80c8f2abdd9898dfc1ea877fee0a

SHA512
c66274c38998d0aa9064600b2bcde1a6a4ed551a4e00a0a622046e447843cd300bf15a14e2b361a54a47644cd3a16a68e3f78b884e6ec198d67385ee1d11cc0f

Download Submit
C:\Program Files\McAfee\Temp2811346018\eventmanager.cab

Filesize
1.5MB

MD5
37b3275879c23c99fbf4e6539fc4c8f6

SHA1
48c6fb2f083be017bcc7de3934321329c363bf9d

SHA256
5f93db4b3a5c08498f22903ad3196551d080c59b2283e988f5095d95ac47b700

SHA512
7dc01b625c1627e22c57b2c9e90e06ca2e4ceeacee2ffc5c21d5821c245314a68546429770fd0c9b1566bc8e7cd925347fc5efdd799f0296241dfe7c33da1cdc

Download Submit
C:\Program Files\McAfee\Temp2811346018\installer.exe

Filesize
2.9MB

MD5
c484b9d06655c8272d1d185e9c9a2496

SHA1
e55f7af8eac4e8dff8b2eb845b34d75c5937df9a

SHA256
db4ef534357ff1c2a0d6cf925743f0f904866404c71f446d8e771d14e8a94b7a

SHA512
a81895a53c46be9d990912592c9903d361c0bccc1d04da41f529b4542e7f0b8ca6050d9eeec20c17c7030d502abcc4c79e6e8996b09f83fc55e35a7bcc70dfb9

Download Submit
C:\Program Files\McAfee\Temp2811346018\l10n.cab

Filesize
263KB

MD5
9c392136d2f86c7943af5c5fba254697

SHA1
b0e4a19480b58e0d425d267e6721c2c1d6e1c1ee

SHA256
9fda6ad872e73260562d46932fe2323ecc8a93f176289c0f34a98743a6d10e98

SHA512
ff1411549e49b2545350fd044250200290223f7d4c4e000992163d707bc0b220c8e3c87af444ad5b8178e7e041f0488a6fb694a81b79371768e136f12acb84b5

Download Submit
C:\Program Files\McAfee\Temp2811346018\logicmodule.cab

Filesize
1.5MB

MD5
81f22bcf2faf5d08db345c82987a4b25

SHA1
af56eba04562a2c2a1d6def1c6cce3e01a89951d

SHA256
a40903e9d84fdbbde037e52cc46bbfec95112086e34d03c22e0c5f4619a54f45

SHA512
f749f0376d07e46010e7118ccb5e81ee0cbf88bfb484a35462811eeaa2046678c73d5e9e176c78badd08e2e34dd4dfcb1b94d20a879985551b37e4ac182b9e0a

Download Submit
C:\Program Files\McAfee\Temp2811346018\logicscripts.cab

Filesize
50KB

MD5
7d236b3a5f33a736cccaa9943a3c89d1

SHA1
551272bffd8510b5d84ef82587474e0416f3c03a

SHA256
4fd07c5bce2a6321580991a73f61b35de7738bca6af43b2bf78995301e17506e

SHA512
980c05a7d339e40c5f8cbafdb6e3098a3de7be4dda96ea3ffb06d967d8fc8e01f319a967a45f3ae2cd55cd9c93f9425078db6406bc56be1b016e3d440551d241

Download Submit
C:\Program Files\McAfee\Temp2811346018\mfw-mwb.cab

Filesize
20KB

MD5
0b88f2ce8a77f3b7be6e2e86bdda1937

SHA1
5b68e2ab98686a2767b28da7ffd5ad43a67a0af9

SHA256
826b84079e8339f41480e8eaed430fb28b49cd32dd883f4eb8f2a97240b14f8c

SHA512
ea192fa5adb815256aec313f4f9e8cc1a072c5b789b7db5f3e499be04dd8adbacd2fe00266052fccf68c8857097112b57ded8ce2a3da16732e607dd74032169b

Download Submit
C:\Program Files\McAfee\Temp2811346018\mfw-nps.cab

Filesize
22KB

MD5
554c5a07f082abfa4c8a9ca813905cb4

SHA1
936365bd10f41d53ff2166c42f04caecbe6fdfd2

SHA256
80e4a81c367539686db74789f25bea849ee7fd87a41d7152a1739b5ec38b1415

SHA512
a2d2c8d55ea5c378590e49d0c1b6e09feeb0c05fdf2ef336b34b7352ba4a9ef3f72d415437b829a4ac1b47ac1c4a8bf67abb65cc3bca14a732d87a90fcb63d71

Download Submit
C:\Program Files\McAfee\Temp2811346018\mfw-webadvisor.cab

Filesize
798KB

MD5
58f465e0295353de4a02870901785d2c

SHA1
4a6fc92bcdbb237b551d3e2d586f350ce3b7d4f0

SHA256
5d53ee618aaadeaca1d5ee1d0e2c301730381e775e3f6bd7d8677cb87ac6abe8

SHA512
e4bc76da62a13c36e0fe74acb2a6ec8e727a825062eac8d1fcbfba73d2234cf3b5e950b8c990e65f406dba38bf8d7145714a3d092f363902d0c29ae02af5a015

Download Submit
C:\Program Files\McAfee\Temp2811346018\mfw.cab

Filesize
300KB

MD5
d8fdb5d408de3fb3d9ea77f5ec70d55d

SHA1
1ae0ef14cc4b08c728c6d3586a62f14a905b5f74

SHA256
77ad4e648e2d7d30ac670af0f8899a4429889686cb54873859414d969636667d

SHA512
0cd48a77d7e7bde547b54d62247a83172ee99d94ff1eefd7f5b967413c4b05ac7e1baf528068bcd9742423e417066348ece256b06965aea06909a5e3bddceab3

Download Submit
C:\Program Files\McAfee\Temp2811346018\resourcedll.cab

Filesize
37KB

MD5
70bd5acece22d3586fbff94fe2fe0a7e

SHA1
4b46e6b3bf7d88c90090b74bf4ef902833651c20

SHA256
f1c9b3cb7c8a1b3a68dfe014b149909387d01d0cc192f5834f882b1972e06fbd

SHA512
c603344152632c108f5b9fd88d7f34d3f5f0a4d0ae5b780b364fe61e2f00ff63615ca6575258fd25c668a4f3e0240ada281491b2081022511feac4f5b9c7929c

Download Submit
C:\Program Files\McAfee\Temp2811346018\servicehost.cab

Filesize
326KB

MD5
9fe9b6abd88e593f9288bb63446a2ae7

SHA1
24ed3766b72c89e9cf8da76f3bc9a2552ed7f23c

SHA256
a4b2f56755c454d2745d21b30b5c878e79be1a04119e188886cbe8a0e1ccd297

SHA512
2e94cfa974ee431f2e2304f1ae6c1779ab089024e86f525570657804322f040bef222ed1c64c03eb4e2ef6a8e1c527301812eb97108a24a2829b192597ec78d4

Download Submit
C:\Program Files\McAfee\Temp2811346018\settingmanager.cab

Filesize
783KB

MD5
50b3b5266f709bb84ce80dcda040cdea

SHA1
e1862427c715d70425a0d714528c3a117796d010

SHA256
146147344df10dfdd23aba2dfbbcd00a60024b8972d8a57b769a5c9a49c4150c

SHA512
cae266eece6386048efe5088800c32a4b72b96a59837b3fc4075b46647a33eaea1f6bea620def9c53c7c24ea08dafce68ae49a2a4cf977d205dfc33276ca995b

Download Submit
C:\Program Files\McAfee\Temp2811346018\taskmanager.cab

Filesize
3.0MB

MD5
4108ee83a46fffeef0430631bda817a9

SHA1
425b10edc4bbe8a50ab309f4633759a029589d88

SHA256
a488bde45358dbfe3275e7e0a67ee480849014dc82200e5513d6157abe037119

SHA512
d4b30ce00c1849647b7d7a698dc9cc73fff30adde71638294e4db7f3d00feb2d9bd4e14d4aa586aebf780315f728c26d710d1232b393f3c910ba5c388fbe49b3

Download Submit
C:\Program Files\McAfee\Temp2811346018\telemetry.cab

Filesize
78KB

MD5
721ab0661c9c2df45f8fc81c29b19006

SHA1
612ee04ff11e37ae75c2752ede42d2bd07e61efc

SHA256
8d2c570437fca975c5210886323c6aecee29cdeeac1460c8d01905435097371e

SHA512
fd706e7c9353b31004a71bd61705564e9e83cbe6c0bf8b3235103c86aea7b55f72f7429b6a9ef6c52d616b188b0a49f1c7b159fad61bcc51093188f94f557ca7

Download Submit
C:\Program Files\McAfee\Temp2811346018\uihost.cab

Filesize
322KB

MD5
983896bed04e562e81908342aac6c0ae

SHA1
8d0ba502d7fae61d7402d289f3e77831261de94b

SHA256
b54d15c751e3abc2e14ed02cfbafddcbba42979e6d15399406355141ca09668c

SHA512
379e0a917090dabd60901fba5941c2f68290400b2194f589ab3de333b36e734492b49ff70ac2b1750cbb3457d616c9c466f7548714c98428ba90cc59f7301773

Download Submit
C:\Program Files\McAfee\Temp2811346018\uimanager.cab

Filesize
1.8MB

MD5
d15a4eb083f7d2cea8ddb9f44545fa23

SHA1
76422171056209cf6e5732e0082a924f5d6be662

SHA256
44b08bcf216ce5bbc6842510d4cf6b20c3c1b97792bb791c50ec8200e66606aa

SHA512
31175f52e64507fd7ea45367e2bb9963ba4a685f1fedea0a0dbc000dadbf30876429d0fd6a802fee8cdafc16648213cb77a4c7b84d3c5ecc378f2ace8f13dd9b

Download Submit
C:\Program Files\McAfee\Temp2811346018\uninstaller.cab

Filesize
1.0MB

MD5
bff18033b19b6fed1ef103687a4cf8f6

SHA1
c03d295934cb3c1509b92d978c68fa1efe7fe1e1

SHA256
d5b7c8b90ef85e380e4173a7dae6f8fb8048b50ac1f5daa0b24dded20a2eab7e

SHA512
43ce5e41d6289d03d6714623eab56c23c6670f7b53cbc3fed8a09e85a875e9dd47cd7f670d31e6483fd71dca2ba9c5010cb0b0776e01a856f4e8bff320eec9eb

Download Submit
C:\Program Files\McAfee\Temp2811346018\updater.cab

Filesize
962KB

MD5
e5cd2a1d246a815e486325c491f1ebdc

SHA1
9c49dfc54123ac61ef80370685f88f033ae85f57

SHA256
d4ed9e35021a114c98e7e5624b96ba5a65a8c7a98f1a6fbca8515dd9ecd1305b

SHA512
8b03d465f7375df0ea998aa499d227be4e5e5172faea00fa6f3d700da86fc8ee7b94515d6acb9eda9b313a333656947bc3c15db6271956984c86c359ef13a735

Download Submit
C:\Program Files\McAfee\Temp2811346018\webadvisor.cab

Filesize
11KB

MD5
35fbbb3b94e0176c8f18b9bfc98e848f

SHA1
5f7f2cdc62300f805f803dfcf3d2cdab47c27d3b

SHA256
277613f6ebe69c431a9afb7b51dcbff45ed8ba26fca74114afb1771f9b1a8e04

SHA512
bca884edb753220a5fd002c5ab23150d2b3fe4f4a7faf3c7de61ffc0e733ae12a878b136c8e33c879d301b09ed6589126ea0ab9b5066ef78b5c70f29556565af

Download Submit
C:\Program Files\McAfee\Temp2811346018\wssdep.cab

Filesize
572KB

MD5
55711b3aa9171feb47ac57d19fc02cda

SHA1
1446bf4e77cfa2aaa19936a897460e7f3aa449b3

SHA256
09346a2285969107f3f7f11f33de0772141748983156a0efed47564a7a4abb87

SHA512
a7a054e12f0b1aa2712a8f9a01509f76efc84dd89dcc57d81002ff176e745b375018284b069a078e14dc97c3267b161298aabd8e94a9cb42e0c89a7b0a8664e9

Download Submit
C:\Program Files\McAfee\WebAdvisor\AnalyticsManager.dll

Filesize
5.1MB

MD5
10707e39bbb4b650ff6e68365a16c21f

SHA1
6b116fb102c4e8eda9ae809adfcfa23a2704f54c

SHA256
b5321dafbe906e23d5d5f8b52397465667199862bd91106868c94b24a4356b85

SHA512
e049e8331697120ceada56c43a9c53196c6945a5bace7736cb3dde99c2925117b22b2bd8d0386dd0bf9b118bb3f2fa79695287b93f369a9b5d696c14a60cc642

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
73KB

MD5
bd4e67c9b81a9b805890c6e8537b9118

SHA1
f471d69f9f5fbfb23ff7d3c38b5c5d5e5c5acf27

SHA256
916f5e284237a9604115709a6274d54cb924b912b365c84322171872502d4bf8

SHA512
92e1d4a8a93f0bf68fc17288cd1547b2bb9131b8378fbd1ed67a54963a8974717f772e722477417f4eb6c6bb0b3dfba4e7847b20655c3d451cba04f6134c3ab5

Download Submit
C:\Program Files\McAfee\WebAdvisor\SettingManager.dll

Filesize
1.9MB

MD5
392ccff00d1d0e67eeef8669b6cf3d6a

SHA1
055e2a8e69febe4e16499679434f235fa0012cd8

SHA256
09ffc144fe013d87a0727d9918a6affee161315e57a75b7766a88931e6c7ffc6

SHA512
cf9580e72e9e1b265945d07ef693e0305ab02443ea5c6d853a12ed3b7fa25acb265a60d5062c170909eb87d859a8724b6c88e0bf704ff676a948f41f849e094e

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\AnalyticsTelemetryHandler.luc

Filesize
2KB

MD5
0a454bb7f7b20dd97468916ad08d91d8

SHA1
ed2ec904f7307439693fa597dcab639c3aefbe1a

SHA256
ac1a59e20ef66f3786f29f3a6342888951fc24dad58ebf8a2c7581c314e31223

SHA512
a6b08ce908b041bf840e5eff4172471bb1f6fa37a7558dc9f4c0f93e0f0e89ae80dfa76f8882efd3d277d4d7005923c91befed035faaee51f6138e2fd0fd0bac

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\class.luc

Filesize
656B

MD5
5755668303042ca729fe6714d7b225c8

SHA1
becda56fbf1404cb609d1fbe5b37cd13b58564fc

SHA256
5e17f8ce7d6ba5794eb55418c6162721ed2aa4d48c44fd3cf92388fe65a29121

SHA512
1335e1f945f13ded65675b014350528cfe56f484c5830c3f0efd66665c6e8d34af8a96936ab1964c6ac44e4724669fd929425805b1836d620f1ad08ff597bb1b

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\dkjson.luc

Filesize
9KB

MD5
dbba7c76055b89c4533e9c28e3000ed5

SHA1
9639eab8d8512daebd8ef87ff88252884ce5c810

SHA256
eba7e588eb9085dd3c18f595e5f8c069da375c4114d515dda97851aff7806cfb

SHA512
ee64493c9e8530c53ab05b52b102d660412eeb0bf5fcf36a279dd93de6c6be5686f3778b48f60381d2f0eb239970cbbaeb36cc3a3bd4a47efa7c8ec5177d1aa4

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\logger.luc

Filesize
699B

MD5
4882e525be6ec1d8643f9a4a61b6bde8

SHA1
c0383175a1786c021d99b910169e457935624713

SHA256
85a52781ed4a8c722ce63e8f48c47b8dc9d35418c1fa217bf111ea0f477aac6a

SHA512
d6e9c6999edf0a07f25622533448f50aec0efa804d7c449514ea8310dcda742ad88f8c4d0bd02e7461b45e6c2f3347d9927837af76d2bc4983e736c61eb43e52

Download Submit
C:\Program Files\McAfee\WebAdvisor\servicehost.exe

Filesize
896KB

MD5
6152b9c97b8af8694b6a7ea680fccf6b

SHA1
4529de7003040079dbd2a51a6afc20602b1dc51a

SHA256
56b65be8ccae0e8c41f76415d0aac32f9f9a0760bca5f1c5b837638792612ac2

SHA512
c6b0cead83489a8065f4385cc009299aeb15b0289c2ce6fa1d49bc2847ba40cb39450a9bad1406b2b7c87a5228f79fc48ba2a644189ce1b8dbae2cd57fc99c2f

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll

Filesize
630KB

MD5
d9476b88efb8b9204e627f88e5dcf14f

SHA1
ca8d57feb25da8458422400a4cd0fefdc8a0f8bc

SHA256
0b4d12970f0cc6d2dd4845133f7c382e4ee1705be87470860aa39e8855db43b1

SHA512
d98e2e8b15e666fbc5bf4a209792b4ab92f27faf34cb2a6b8df2173504b986beaa81e2d81a01abb35aec052d73edaa4db139cec22cad81741076f4a3d89b4dc0

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll

Filesize
785KB

MD5
dcd70b2ee47216054599cbae77b750d7

SHA1
13570de6673ecf6af538c096cf67eea94bc00295

SHA256
81f29edc2803159a4dffb157ec69e12cec1ae7f894411756cf23621aed14824e

SHA512
3cf3e293502dd4de2099e096467c183ce641eda7ebc97fc75153dc0c9f4d06892be68e3f9e8f6b5b7edc69a4b412e2b8182e23b425be35abf84c78edcce27925

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
388B

MD5
1068bade1997666697dc1bd5b3481755

SHA1
4e530b9b09d01240d6800714640f45f8ec87a343

SHA256
3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51

SHA512
35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
339KB

MD5
030ec41ba701ad46d99072c77866b287

SHA1
37bc437f07aa507572b738edc1e0c16a51e36747

SHA256
d5a78100ebbcd482b5be987eaa572b448015fb644287d25206a07da28eae58f8

SHA512
075417d0845eb54a559bd2dfd8c454a285f430c78822ebe945b38c8d363bc4ccced2c276c8a5dec47f58bb6065b2eac627131a7c60f5ded6e780a2f53d7d4bde

Download Submit
C:\Program Files\ReasonLabs\EPP\Uninstall.exe

Filesize
319KB

MD5
79638251b5204aa3929b8d379fa296bb

SHA1
9348e842ba18570d919f62fe0ed595ee7df3a975

SHA256
5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d

SHA512
ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
e0f93d92ed9b38cab0e69bdbd067ea08

SHA1
065522092674a8192d33dac78578299e38fce206

SHA256
73ad69efeddd3f1e888102487a4e2dc1696ca222954a760297d45571f8d10d31

SHA512
eb8e3e8069ff847b9e8108ad1e9f7bd50aca541fc135fdd2ad440520439e5c856e8d413ea3ad8ba45dc6497ba20d8f881ed83a6b02d438f5d3940e5f47c4725c

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
348KB

MD5
41dd1b11942d8ba506cb0d684eb1c87b

SHA1
4913ed2f899c8c20964fb72d5b5d677e666f6c32

SHA256
bd72594711749a9e4f62baabfadfda5a434f7f38d199da6cc13ba774965f26f1

SHA512
3bb1a1362da1153184c7018cb17a24a58dab62b85a8453371625ce995a44f40b65c82523ef14c2198320220f36aafdade95c70eecf033dd095c3eada9dee5c34

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
6KB

MD5
87ac4effc3172b757daf7d189584e50d

SHA1
9c55dd901e1c35d98f70898640436a246a43c5e4

SHA256
21b6f7f9ebb5fae8c5de6610524c28cbd6583ff973c3ca11a420485359177c86

SHA512
8dc5a43145271d0a196d87680007e9cec73054b0c3b8e92837723ce0b666a20019bf1f2029ed96cd45f3a02c688f88b5f97af3edc25e92174c38040ead59eefe

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
406B

MD5
0dd7ab115062ec8b9181580dbd12ff02

SHA1
28a9115deb8d858c2d1e49bec5207597a547ccf0

SHA256
2fe9b5c64e7ef21c1ea477c15eff169189bac30fd2028f84df602f52c8fc6539

SHA512
2c1a4e5ebf7ab056d4510ea56613fec275ca1da8bb15ed8118e9192fc962833e77974a0363538cebf9ab2a1a1ff9486c3078d14b4820c2a8df803f80f94e19f1

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
660B

MD5
705ace5df076489bde34bd8f44c09901

SHA1
b867f35786f09405c324b6bf692e479ffecdfa9c

SHA256
f05a09811f6377d1341e9b41c63aa7b84a5c246055c43b0be09723bf29480950

SHA512
1f490f09b7d21075e8cdf2fe16f232a98428bef5c487badf4891647053ffef02987517cd41dddbdc998bef9f2b0ddd33a3f3d2850b7b99ae7a4b3c115b0eeff7

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
239B

MD5
1264314190d1e81276dde796c5a3537c

SHA1
ab1c69efd9358b161ec31d7701d26c39ee708d57

SHA256
8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5

SHA512
a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
508e66e07e31905a64632a79c3cab783

SHA1
ad74dd749a2812b9057285ded1475a75219246fa

SHA256
3b156754e1717c8af7fe4c803bc65611c63e1793e4ca6c2f4092750cc406f8e9

SHA512
2976096580c714fb2eb7d35c9a331d03d86296aa4eb895d83b1d2f812adff28f476a32fca82c429edc8bf4bea9af3f3a305866f5a1ab3bbb4322edb73f9c8888

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
88285150963049628938a59781999007

SHA1
989a4e83167d1b9ec33973d41c5de64ab8b8f4d3

SHA256
d591b6e3151921e1c8ca1e4ac38af1efe37e1fb1113b782c0ba067880916d3dc

SHA512
522d90f0fb381510628e70074f559ca4346dca1c2132e806d0ef7766545843e9501fbeff1148a415bb7f6116a11d9a4414d4bce7213e1f2e0e8d41e997620ed8

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
1977eb6845cf7a44928f54fb30c4bf40

SHA1
0f2d16e7e8b134e83a07b7517fabbc7944745e42

SHA256
b0ce7cdb844466d9d2c7d15d75fb55ffd8fe115f0c0d88aeff2d2def817758f2

SHA512
836b9476cce8ae7423d4bfaee4a587a07476a69d0ddacf75984bbf670124210a69641601b34bdbe06fad4e33261bed28e4108413085542dd40bd8f5849f50eca

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
6KB

MD5
88b5feca8a0638d377d428b18c74fd86

SHA1
2dd5af1f6f22e59b0fbdf4d6c6ad1a900cd9a747

SHA256
2eb9323d18cfdba7128f8215224f25d510bc205d0bb5aadd66b0d091c63774eb

SHA512
8730ff940b5e67f3235ad3a2083984a8be355b736e4b0be5215a12d991139a8d5e622980c38d2470eddfb9e783a1e722bf61b10c40ffb067cec6c6c52923b017

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
3cde475e087c652f37c28aa47c650412

SHA1
ef78fed215a9df2c5132737af7271e9f5a786a71

SHA256
61ff5c3a3c2a3a4d6f46ee4ee7b4ee41fba487c97de47cd8f845b9446d7964b7

SHA512
85526cbe418ea2ccddcf2eb82b1c353308a947a14898a2fa8cc375a63d75c54c5e81db02b933fe1a9155aeb3aa8a2e7ce9b629d6e5865b9a76d7a0533cda612a

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.4MB

MD5
f04f4966c7e48c9b31abe276cf69fb0b

SHA1
fa49ba218dd2e3c1b7f2e82996895d968ee5e7ae

SHA256
53996b97e78c61db51ce4cfd7e07e6a2a618c1418c3c0d58fa5e7a0d441b9aaa

SHA512
7c8bb803cc4d71e659e7e142221be2aea421a6ef6907ff6df75ec18a6e086325478f79e67f1adcc9ce9fd96e913e2a306f5285bc8a7b47f24fb324fe07457547

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

Filesize
2.9MB

MD5
2a69f1e892a6be0114dfdc18aaae4462

SHA1
498899ee7240b21da358d9543f5c4df4c58a2c0d

SHA256
b667f411a38e36cebd06d7ef71fdc5a343c181d310e3af26a039f2106d134464

SHA512
021cc359ba4c59ec6b0ca1ea9394cfe4ce5e5ec0ba963171d07cdc281923fb5b026704eeab8453824854d11b758ac635826eccfa5bb1b4c7b079ad88ab38b346

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

Filesize
592KB

MD5
8b314905a6a3aa1927f801fd41622e23

SHA1
0e8f9580d916540bda59e0dceb719b26a8055ab8

SHA256
88dfaf386514c73356a2b92c35e41261cd7fe9aa37f0257bb39701c11ae64c99

SHA512
45450ae3f4a906c509998839704efdec8557933a24e4acaddef5a1e593eaf6f99cbfc2f85fb58ff2669d0c20362bb8345f091a43953e9a8a65ddcf1b5d4a7b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f467eeb51256ddc792bf02f70d3e855

SHA1
3b2a27e560877692dc6cdba31beae6f4f79344a2

SHA256
037ed450227d8a516d5c311f5bfaf2b9d6a7df21a66d41236bd175cf58a353c7

SHA512
0535a3fe5ce0d7c1ccec98cf9aedf6066b9bcb0c0eb126c59fe044063504d2fba871b32074d5b10f04102505652901c7a1fa81cc392efc45e0ca8f03c3710ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\66afe9db-1d73-41c4-8f5d-180aa21a3563\UnifiedStub-installer.exe\assembly\dl3\79f68c54\3c24ce4d_bf11db01\rsServiceController.DLL

Filesize
183KB

MD5
4f7ae47df297d7516157cb5ad40db383

SHA1
c95ad80d0ee6d162b6ab8926e3ac73ac5bd859a3

SHA256
e916df4415ae33f57455e3ea4166fbb8fbe99eeb93a3b9dcab9fe1def45e56ed

SHA512
4398652b53b8d8c8bac584f83d5869985d32fa123f0e976ef92f789b1f7116572a15d0bb02be3fbc80ed326cfb18eea80fec03ee20ed261e95daa4e91e61c65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\66afe9db-1d73-41c4-8f5d-180aa21a3563\UnifiedStub-installer.exe\assembly\dl3\a903cc43\3c24ce4d_bf11db01\rsJSON.DLL

Filesize
221KB

MD5
e3a81be145cb1dc99bb1c1d6231359e8

SHA1
e58f83a32fe4b524694d54c5e9ace358da9c0301

SHA256
ee938d09bf75fc3c77529ccd73f750f513a75431f5c764eca39fdbbc52312437

SHA512
349802735355aac566a1b0c6c779d6e29dfd1dc0123c375a87e44153ff353c3bfc272e37277c990d0b7e24502d999804e5929ddc596b86e209e6965ffb52f33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\66afe9db-1d73-41c4-8f5d-180aa21a3563\UnifiedStub-installer.exe\assembly\dl3\aaa0d68b\3738c24d_bf11db01\rsAtom.DLL

Filesize
171KB

MD5
de22fe744074c51cf3cf1128fcd349cb

SHA1
f74ecb333920e8f2785e9686e1a7cce0110ab206

SHA256
469f983f68db369448aa6f81fd998e3bf19af8bec023564c2012b1fcc5c40e4b

SHA512
5d3671dab9d6d1f40a9f8d27aeea0a45563898055532f6e1b558100bed182c69e09f1dfd76574cb4ed36d7d3bb6786eff891d54245d3fab4f2ade3fe8f540e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\66afe9db-1d73-41c4-8f5d-180aa21a3563\UnifiedStub-installer.exe\assembly\dl3\c0f410f6\3c24ce4d_bf11db01\rsLogger.DLL

Filesize
183KB

MD5
54ff6dfafb1ee7d42f013834312eae41

SHA1
7f30c2ffb6c84725d90ce49ca07eb4e246f2b27b

SHA256
ef5ce90acf6eb5196b6ba4a24db00d17c83b4fbd4adfa1498b4df8ed3bf0bd0c

SHA512
271f1203ee1bacac805ab1ffa837cad3582c120cc2a1538610364d14ffb4704c7653f88a9f1cccf8d89a981caa90a866f9b95fb12ed9984a56310894e7aae2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\Microsoft.Win32.TaskScheduler.dll

Filesize
340KB

MD5
e6a31390a180646d510dbba52c5023e6

SHA1
2ac7bac9afda5de2194ca71ee4850c81d1dabeca

SHA256
cccc64ba9bbe3897c32f586b898f60ad0495b03a16ee3246478ee35e7f1063ec

SHA512
9fd39169769b70a6befc6056d34740629fcf680c9ba2b7d52090735703d9599455c033394f233178ba352199015a384989acf1a48e6a5b765b4b33c5f2971d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\Newtonsoft.Json.dll

Filesize
701KB

MD5
4f0f111120d0d8d4431974f70a1fdfe1

SHA1
b81833ac06afc6b76fb73c0857882f5f6d2a4326

SHA256
d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a

SHA512
e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
493d5868e37861c6492f3ac509bed205

SHA1
1050a57cf1d2a375e78cc8da517439b57a408f09

SHA256
dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f

SHA512
e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\rsAtom.dll

Filesize
169KB

MD5
dc15f01282dc0c87b1525f8792eaf34e

SHA1
ad4fdf68a8cffedde6e81954473dcd4293553a94

SHA256
cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998

SHA512
54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\rsLogger.dll

Filesize
182KB

MD5
1cfc3fc56fe40842094c7506b165573a

SHA1
023b3b389fdfa7a9557623b2742f0f40e4784a5c

SHA256
187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2

SHA512
6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\rsStubLib.dll

Filesize
271KB

MD5
3bcbeaab001f5d111d1db20039238753

SHA1
4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8

SHA256
897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a

SHA512
de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC51A86C8\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe

Filesize
24.4MB

MD5
1f33ef139e68dd3964151053787a95e9

SHA1
e8dc0eb54526fb427e7cb7ee6c8d0ad330ba97b8

SHA256
a3a8e3067c8c1aade62617b6882c3dddd6d681994346c957f85c22a073c725b6

SHA512
c2896443e41ad4adc6f86e7e73897213dacb2eee93e249ac01a348f40ba3c2b8ee16f2b029c6a681ea694338ff6ffd126e0147b4a1509bf8e34b8edf202fc46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe

Filesize
32KB

MD5
acb232db21b6b734f722908374efb1ae

SHA1
c4c88e81cf3cba0d5af0ebc23fee89351e5a5846

SHA256
0b40c3dec1e9318a375cecc5a5bb610391a51e235e7c2a560e6adbe78c2fa5cf

SHA512
5e2d626b6c42a229137401003928ab5b06a1d1232b48e62f286f7e213acb9389dcdb855e9e224f978cef419944dd6630ae487a7c81f7d79149b2639c72eca492

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
67KB

MD5
f45a92aba92be451667f7771edecdd32

SHA1
bb8496d04363a8ae818a9b3efc0fbcc1ba893f78

SHA256
22e95eb59a7cb402fadc1783c7f3c613aa18ebd09480e30f4a6557df8d066b26

SHA512
a6d734db225021487df46b2f62fb7a71883e2aa8837eb0097082510d8f01b519842cd26700ce84f2e2fd9012cb396ea894123d31a0e3e22636ecb859f68010af

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bggfg1ty.zkp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwaEDA7.tmp

Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wt0f5hv0.exe

Filesize
2.4MB

MD5
7a88d99f608e017f76e1b2cb945b8b07

SHA1
9e368736d48608362e23609fb4f3cdf8eab9fcda

SHA256
eb6dcf211058252bafb1a7845bfba6fcf75402fdcc1701eddb3dd87a2c5e5d0b

SHA512
744d4b642e8b5457103993159657a237405653df5406419681249f8f3bc8ff0caed3656187b7e6d071c3218e0a31c1a5be5791508e4d49841fd2c7b119cc7943

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
130KB

MD5
f7a0a4481be22a5e88414b59b66fb40d

SHA1
607ad029b08cf0856f264d5b4609d61fcfb7c723

SHA256
af678908489c742fd60a95884678cf98b2a0ebefa4c979bff41dbac5cc980fd3

SHA512
cdd15be61d646019e4f5db36841fb7e755aec0f78b44d8896e7e2a4ab370d18999702fee6a9308218d1c96327ad8c126e7a0034ef74b29310d0ea2a04113ce0f

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
276KB

MD5
bef020afcbbe87e569b3f7b753926cb3

SHA1
4e4586fd50f8156ceb87d3de307ce58ce226432c

SHA256
3c4bfd0c3af4fdda7af01f2f2b15eb541ef924a81b90ecdc6d0edc2d6f8889fd

SHA512
f561af9bc2f1d15d73ccab49d3da142679ec710af3354deb5fe02e6f3fe13f8a2752d7504d88b6eb7a5596fb5de72317a1070ecb0904a15816c90874275fd490

Download Submit
C:\Windows\System32\drivers\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
memory/1680-51-0x000001C7B9BE0000-0x000001C7BA108000-memory.dmp

Filesize
5.2MB

Download
memory/1680-49-0x00007FF8DA7E3000-0x00007FF8DA7E5000-memory.dmp

Filesize
8KB

Download
memory/1680-50-0x000001C79F200000-0x000001C79F208000-memory.dmp

Filesize
32KB

Download
memory/2556-3415-0x000001A6F7C30000-0x000001A6F7C88000-memory.dmp

Filesize
352KB

Download
memory/2556-3372-0x000001A6F7A90000-0x000001A6F7AE0000-memory.dmp

Filesize
320KB

Download
memory/2556-188-0x000001A6DC350000-0x000001A6DC45C000-memory.dmp

Filesize
1.0MB

Download
memory/2556-190-0x000001A6DE120000-0x000001A6DE166000-memory.dmp

Filesize
280KB

Download
memory/2556-192-0x000001A6DE190000-0x000001A6DE1C0000-memory.dmp

Filesize
192KB

Download
memory/2556-5137-0x000001A6F7D70000-0x000001A6F7DA0000-memory.dmp

Filesize
192KB

Download
memory/2556-5093-0x000001A6F7C90000-0x000001A6F7CCA000-memory.dmp

Filesize
232KB

Download
memory/2556-194-0x000001A6F75E0000-0x000001A6F7692000-memory.dmp

Filesize
712KB

Download
memory/2556-195-0x000001A6DE210000-0x000001A6DE232000-memory.dmp

Filesize
136KB

Download
memory/2556-5104-0x000001A6F7C90000-0x000001A6F7CC0000-memory.dmp

Filesize
192KB

Download
memory/2556-197-0x000001A6F6A90000-0x000001A6F6ABE000-memory.dmp

Filesize
184KB

Download
memory/2556-5116-0x000001A6F7C90000-0x000001A6F7CBE000-memory.dmp

Filesize
184KB

Download
memory/2556-202-0x000001A6F76A0000-0x000001A6F76F8000-memory.dmp

Filesize
352KB

Download
memory/2564-396-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-413-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-607-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-677-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-662-0x00007FF7BF570000-0x00007FF7BF580000-memory.dmp

Filesize
64KB

Download
memory/2564-592-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-579-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-577-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-576-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-631-0x00007FF7BF570000-0x00007FF7BF580000-memory.dmp

Filesize
64KB

Download
memory/2564-625-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-567-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-565-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-563-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-561-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-536-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-517-0x00007FF7CAD00000-0x00007FF7CAD10000-memory.dmp

Filesize
64KB

Download
memory/2564-502-0x00007FF77D7B0000-0x00007FF77D7C0000-memory.dmp

Filesize
64KB

Download
memory/2564-493-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-491-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-486-0x00007FF78D780000-0x00007FF78D790000-memory.dmp

Filesize
64KB

Download
memory/2564-484-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-480-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-475-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-470-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-460-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-458-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-437-0x00007FF7C9160000-0x00007FF7C9170000-memory.dmp

Filesize
64KB

Download
memory/2564-609-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-611-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-612-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-619-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-620-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-623-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-671-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-603-0x00007FF7CAD00000-0x00007FF7CAD10000-memory.dmp

Filesize
64KB

Download
memory/2564-545-0x00007FF76C880000-0x00007FF76C890000-memory.dmp

Filesize
64KB

Download
memory/2564-498-0x00007FF7A95C0000-0x00007FF7A95D0000-memory.dmp

Filesize
64KB

Download
memory/2564-425-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-426-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-386-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-385-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-384-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-383-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-427-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-388-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-394-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-398-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-408-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-406-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-405-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-401-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-608-0x00007FF7B9870000-0x00007FF7B9880000-memory.dmp

Filesize
64KB

Download
memory/2564-415-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-417-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-424-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-429-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-433-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-432-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-428-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-430-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-431-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-434-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/2564-435-0x00007FF7A03C0000-0x00007FF7A03D0000-memory.dmp

Filesize
64KB

Download
memory/3628-28-0x000000000A540000-0x000000000A5DC000-memory.dmp

Filesize
624KB

Download
memory/3628-29-0x000000000A5E0000-0x000000000A646000-memory.dmp

Filesize
408KB

Download
memory/3628-13-0x0000000072AFE000-0x0000000072AFF000-memory.dmp

Filesize
4KB

Download
memory/3628-35-0x000000000BD60000-0x000000000BD72000-memory.dmp

Filesize
72KB

Download
memory/3628-36-0x000000000BDD0000-0x000000000BDF0000-memory.dmp

Filesize
128KB

Download
memory/3628-34-0x000000000BC00000-0x000000000BC1A000-memory.dmp

Filesize
104KB

Download
memory/3628-37-0x000000000BE30000-0x000000000BE62000-memory.dmp

Filesize
200KB

Download
memory/3628-33-0x000000000BC60000-0x000000000BD12000-memory.dmp

Filesize
712KB

Download
memory/3628-41-0x0000000072AF0000-0x00000000732A0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-32-0x000000000B240000-0x000000000B290000-memory.dmp

Filesize
320KB

Download
memory/3628-31-0x000000000A530000-0x000000000A53A000-memory.dmp

Filesize
40KB

Download
memory/3628-30-0x000000000ACC0000-0x000000000B1EC000-memory.dmp

Filesize
5.2MB

Download
memory/3628-43-0x0000000006CF0000-0x0000000006D00000-memory.dmp

Filesize
64KB

Download
memory/3628-40-0x000000000BEB0000-0x000000000BECA000-memory.dmp

Filesize
104KB

Download
memory/3628-27-0x000000000A450000-0x000000000A494000-memory.dmp

Filesize
272KB

Download
memory/3628-42-0x0000000072AF0000-0x00000000732A0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-38-0x000000000BEE0000-0x000000000BF46000-memory.dmp

Filesize
408KB

Download
memory/3628-26-0x0000000009750000-0x00000000097E2000-memory.dmp

Filesize
584KB

Download
memory/3628-22-0x0000000009B60000-0x000000000A104000-memory.dmp

Filesize
5.6MB

Download
memory/3628-39-0x000000000BE70000-0x000000000BE8E000-memory.dmp

Filesize
120KB

Download
memory/3628-45-0x0000000072AF0000-0x00000000732A0000-memory.dmp

Filesize
7.7MB

Download
memory/3628-44-0x0000000072AFE000-0x0000000072AFF000-memory.dmp

Filesize
4KB

Download
memory/3628-12-0x0000000006CF0000-0x0000000006D00000-memory.dmp

Filesize
64KB

Download
memory/3628-17-0x0000000009560000-0x0000000009574000-memory.dmp

Filesize
80KB

Download
memory/3628-18-0x00000000733E0000-0x00000000733F4000-memory.dmp

Filesize
80KB

Download
memory/3680-2967-0x0000000006C70000-0x0000000006C8E000-memory.dmp

Filesize
120KB

Download
memory/3680-2968-0x0000000006C90000-0x0000000006D33000-memory.dmp

Filesize
652KB

Download
memory/3680-2954-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

Filesize
120KB

Download
memory/3680-2872-0x0000000000D00000-0x0000000000D36000-memory.dmp

Filesize
216KB

Download
memory/3680-2873-0x0000000004BB0000-0x00000000051D8000-memory.dmp

Filesize
6.2MB

Download
memory/3680-2874-0x00000000049F0000-0x0000000004A12000-memory.dmp

Filesize
136KB

Download
memory/3680-2880-0x0000000005460000-0x00000000057B4000-memory.dmp

Filesize
3.3MB

Download
memory/3680-2955-0x0000000005B30000-0x0000000005B7C000-memory.dmp

Filesize
304KB

Download
memory/3680-2973-0x0000000007000000-0x000000000700E000-memory.dmp

Filesize
56KB

Download
memory/3680-2957-0x000000006E4B0000-0x000000006E4FC000-memory.dmp

Filesize
304KB

Download
memory/3680-2956-0x0000000006070000-0x00000000060A2000-memory.dmp

Filesize
200KB

Download
memory/3680-2974-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/3680-2969-0x0000000007400000-0x0000000007A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3680-2972-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

Filesize
68KB

Download
memory/3680-2970-0x0000000006E30000-0x0000000006E3A000-memory.dmp

Filesize
40KB

Download
memory/3680-2971-0x0000000007040000-0x00000000070D6000-memory.dmp

Filesize
600KB

Download
memory/5348-5123-0x000000006E4B0000-0x000000006E4FC000-memory.dmp

Filesize
304KB

Download
memory/5348-3406-0x0000000005720000-0x0000000005A74000-memory.dmp

Filesize
3.3MB

Download
memory/5452-5420-0x00000262DAA80000-0x00000262DAAAA000-memory.dmp

Filesize
168KB

Download
memory/5452-5424-0x00000262DAA80000-0x00000262DAAAA000-memory.dmp

Filesize
168KB

Download
memory/5452-5422-0x00000262F5C40000-0x00000262F5E00000-memory.dmp

Filesize
1.8MB

Download
memory/5464-5454-0x000001C94C100000-0x000001C94C130000-memory.dmp

Filesize
192KB

Download
memory/5464-5457-0x000001C965320000-0x000001C96536F000-memory.dmp

Filesize
316KB

Download
memory/5464-5298-0x000001C964C20000-0x000001C964CA8000-memory.dmp

Filesize
544KB

Download
memory/5464-5299-0x000001C94C2B0000-0x000001C94C2DA000-memory.dmp

Filesize
168KB

Download
memory/5464-5421-0x000001C964AA0000-0x000001C964AD2000-memory.dmp

Filesize
200KB

Download
memory/5464-5423-0x000001C964A60000-0x000001C964A8E000-memory.dmp

Filesize
184KB

Download
memory/5464-5297-0x000001C964A20000-0x000001C964A58000-memory.dmp

Filesize
224KB

Download
memory/5464-5425-0x000001C964AE0000-0x000001C964B08000-memory.dmp

Filesize
160KB

Download
memory/5464-5460-0x000001C965450000-0x000001C9654B6000-memory.dmp

Filesize
408KB

Download
memory/5464-5438-0x000001C965220000-0x000001C965244000-memory.dmp

Filesize
144KB

Download
memory/5464-5439-0x000001C965250000-0x000001C965276000-memory.dmp

Filesize
152KB

Download
memory/5464-5440-0x000001C965590000-0x000001C965838000-memory.dmp

Filesize
2.7MB

Download
memory/5464-5459-0x000001C965E40000-0x000001C9660C6000-memory.dmp

Filesize
2.5MB

Download
memory/5464-5300-0x000001C964CB0000-0x000001C964D28000-memory.dmp

Filesize
480KB

Download
memory/5464-5455-0x000001C965380000-0x000001C9653DE000-memory.dmp

Filesize
376KB

Download
memory/5464-5456-0x000001C965840000-0x000001C965BA9000-memory.dmp

Filesize
3.4MB

Download
memory/6372-5458-0x000002C5E68C0000-0x000002C5E68EE000-memory.dmp

Filesize
184KB

Download
memory/6372-5461-0x000002C5FF1E0000-0x000002C5FF292000-memory.dmp

Filesize
712KB

Download
memory/6468-3001-0x000000006E4B0000-0x000000006E4FC000-memory.dmp

Filesize
304KB

Download
memory/6468-2999-0x00000000056F0000-0x0000000005A44000-memory.dmp

Filesize
3.3MB

Download
memory/7668-5241-0x0000028318910000-0x000002831894C000-memory.dmp

Filesize
240KB

Download
memory/7668-5226-0x0000028316CC0000-0x0000028316CEE000-memory.dmp

Filesize
184KB

Download
memory/7668-5227-0x0000028316CC0000-0x0000028316CEE000-memory.dmp

Filesize
184KB

Download
memory/7668-5240-0x00000283188B0000-0x00000283188C2000-memory.dmp

Filesize
72KB

Download
memory/7952-5264-0x000001EDF6F90000-0x000001EDF6FB2000-memory.dmp

Filesize
136KB

Download
memory/7952-5263-0x000001EDF6720000-0x000001EDF673A000-memory.dmp

Filesize
104KB

Download
memory/7952-5262-0x000001EDF7670000-0x000001EDF77EC000-memory.dmp

Filesize
1.5MB

Download
memory/7952-5261-0x000001EDF7300000-0x000001EDF7666000-memory.dmp

Filesize
3.4MB

Download
memory/8180-5268-0x0000021AF0D40000-0x0000021AF0D68000-memory.dmp

Filesize
160KB

Download
memory/8180-5266-0x0000021AEF110000-0x0000021AEF15A000-memory.dmp

Filesize
296KB

Download
memory/8180-5267-0x0000021AF1580000-0x0000021AF15DA000-memory.dmp

Filesize
360KB

Download
memory/8180-5293-0x0000021AF2610000-0x0000021AF2868000-memory.dmp

Filesize
2.3MB

Download
memory/8180-5269-0x0000021AEF110000-0x0000021AEF15A000-memory.dmp

Filesize
296KB

Download
memory/8180-5279-0x0000021AF21C0000-0x0000021AF2204000-memory.dmp

Filesize
272KB

Download