6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd

Analysis

max time kernel
217s
max time network
287s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
Size

3.3MB
MD5

7c2e5ef59e9589422bcd5bf3726fbcb1
SHA1

c4dac6966ac4cd3500d6a7fe44138a0db639d507
SHA256

6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd
SHA512

28870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45
SSDEEP

49152:XZi5hu7I/BzfK/ZHg1pHtOUYqP3CFOrtG/RR9sXafgkDFMVR9C1UhPJXMK701hOw:XI5ht/BzfKW1t0xOouBiCV2Ht

Score

8^/10

discovery exploit persistence spyware stealer upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubInitialize"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeDecode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223\Dll = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentDecode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadMessage"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\FuncName = "WVTAsn1SpcLinkEncode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoDecode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkDecode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "WVTAsn1CatMemberInfoEncode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "WVTAsn1IntentToSealAttributeDecode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	Conhost.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
1888	takeown.exe
3240	icacls.exe
4988	takeown.exe
5020	icacls.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5020	icacls.exe
1888	takeown.exe
3240	icacls.exe
4988	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000717-45.dat	upx
behavioral2/memory/4488-47-0x00000000003F0000-0x00000000009C9000-memory.dmp	upx
behavioral2/files/0x0003000000000717-50.dat	upx
behavioral2/files/0x0003000000000717-51.dat	upx
behavioral2/memory/2752-53-0x00000000003F0000-0x00000000009C9000-memory.dmp	upx
behavioral2/files/0x00040000000162b9-62.dat	upx
behavioral2/memory/3884-68-0x0000000000DD0000-0x00000000013A9000-memory.dmp	upx
behavioral2/memory/3884-67-0x0000000000DD0000-0x00000000013A9000-memory.dmp	upx
behavioral2/files/0x0003000000000717-70.dat	upx
behavioral2/memory/1028-72-0x00000000003F0000-0x00000000009C9000-memory.dmp	upx
behavioral2/files/0x0003000000000717-78.dat	upx
behavioral2/memory/1512-82-0x00000000003F0000-0x00000000009C9000-memory.dmp	upx

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 10 IoCs

pid	Process
4488	OperaGXSetup.exe
2752	OperaGXSetup.exe
3884	OperaGXSetup.exe
1028	OperaGXSetup.exe
1512	OperaGXSetup.exe
2124	LDPlayer.exe
5044	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
4600	dnrepairer.exe
1808	assistant_installer.exe
8	assistant_installer.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2548	sc.exe
944	sc.exe
2108	sc.exe
1172	sc.exe
4012	sc.exe

Loads dropped DLL 12 IoCs

pid	Process
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
4488	OperaGXSetup.exe
2752	OperaGXSetup.exe
3884	OperaGXSetup.exe
1028	OperaGXSetup.exe
1512	OperaGXSetup.exe
4600	dnrepairer.exe
4600	dnrepairer.exe
4600	dnrepairer.exe
4600	dnrepairer.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

pid	Process
4300	taskkill.exe
5008	taskkill.exe
2400	taskkill.exe
2992	taskkill.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}	dnrepairer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
2124	LDPlayer.exe
2124	LDPlayer.exe
2124	LDPlayer.exe
2124	LDPlayer.exe
2124	LDPlayer.exe
2124	LDPlayer.exe
2124	LDPlayer.exe
2124	LDPlayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
Token: SeShutdownPrivilege	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
Token: SeCreatePagefilePrivilege	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeTakeOwnershipPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe
Token: SeDebugPrivilege	2124	LDPlayer.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 4300	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	94
PID 2176 wrote to memory of 4300	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	94
PID 2176 wrote to memory of 4300	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	94
PID 2176 wrote to memory of 5008	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	97
PID 2176 wrote to memory of 5008	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	97
PID 2176 wrote to memory of 5008	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	97
PID 2176 wrote to memory of 2400	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	99
PID 2176 wrote to memory of 2400	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	99
PID 2176 wrote to memory of 2400	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	99
PID 2176 wrote to memory of 2992	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	101
PID 2176 wrote to memory of 2992	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	101
PID 2176 wrote to memory of 2992	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	101
PID 4488 wrote to memory of 2752	4488	OperaGXSetup.exe	105
PID 4488 wrote to memory of 2752	4488	OperaGXSetup.exe	105
PID 4488 wrote to memory of 2752	4488	OperaGXSetup.exe	105
PID 4488 wrote to memory of 3884	4488	OperaGXSetup.exe	106
PID 4488 wrote to memory of 3884	4488	OperaGXSetup.exe	106
PID 4488 wrote to memory of 3884	4488	OperaGXSetup.exe	106
PID 4488 wrote to memory of 1028	4488	OperaGXSetup.exe	107
PID 4488 wrote to memory of 1028	4488	OperaGXSetup.exe	107
PID 4488 wrote to memory of 1028	4488	OperaGXSetup.exe	107
PID 1028 wrote to memory of 1512	1028	OperaGXSetup.exe	108
PID 1028 wrote to memory of 1512	1028	OperaGXSetup.exe	108
PID 1028 wrote to memory of 1512	1028	OperaGXSetup.exe	108
PID 2176 wrote to memory of 2124	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	103
PID 2176 wrote to memory of 2124	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	103
PID 2176 wrote to memory of 2124	2176	LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe	103
PID 4488 wrote to memory of 5044	4488	OperaGXSetup.exe	109
PID 4488 wrote to memory of 5044	4488	OperaGXSetup.exe	109
PID 4488 wrote to memory of 5044	4488	OperaGXSetup.exe	109
PID 2124 wrote to memory of 4600	2124	LDPlayer.exe	110
PID 2124 wrote to memory of 4600	2124	LDPlayer.exe	110
PID 2124 wrote to memory of 4600	2124	LDPlayer.exe	110
PID 4488 wrote to memory of 1808	4488	OperaGXSetup.exe	111
PID 4488 wrote to memory of 1808	4488	OperaGXSetup.exe	111
PID 4488 wrote to memory of 1808	4488	OperaGXSetup.exe	111
PID 1808 wrote to memory of 8	1808	assistant_installer.exe	112
PID 1808 wrote to memory of 8	1808	assistant_installer.exe	112
PID 1808 wrote to memory of 8	1808	assistant_installer.exe	112
PID 4600 wrote to memory of 2764	4600	dnrepairer.exe	114
PID 4600 wrote to memory of 2764	4600	dnrepairer.exe	114
PID 4600 wrote to memory of 2764	4600	dnrepairer.exe	114
PID 2764 wrote to memory of 1476	2764	net.exe	115
PID 2764 wrote to memory of 1476	2764	net.exe	115
PID 2764 wrote to memory of 1476	2764	net.exe	115
PID 4600 wrote to memory of 3324	4600	dnrepairer.exe	116
PID 4600 wrote to memory of 3324	4600	dnrepairer.exe	116
PID 4600 wrote to memory of 3324	4600	dnrepairer.exe	116
PID 4600 wrote to memory of 1128	4600	dnrepairer.exe	147
PID 4600 wrote to memory of 1128	4600	dnrepairer.exe	147
PID 4600 wrote to memory of 1128	4600	dnrepairer.exe	147

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.dioptralgm.robuxfree_3040_ld (1).exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayerex.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM bugreport.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=3040 -language=en -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=262698
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:3324
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      PID:3728
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1888
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3240
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4988
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5020
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\dismhost.exe {E20BFF52-73EF-422B-BD28-FAD46933C9C1}
        5⤵
        
        PID:1104
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      PID:2108
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      PID:1172
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      PID:4012
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      PID:1944
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      PID:3332
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:2548
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      PID:944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:4992

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:operagx --launchopera=0
1⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe
  C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=97.0.4719.84 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x2f4,0x6ee2b3f0,0x6ee2b400,0x6ee2b40c
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3884
- C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4488 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240220134135" --session-guid=8154eb77-7dd4-4aac-a803-26252386ef4a --server-tracking-blob=OWU3NDZmZWI4NzQ2YzliNDBkZjJhZGExOWExYmQzNjk0NDMzNDBkZDBmNjk5MDM4Y2JkNTE1YmMzMDlhMGVmNDp7ImNvdW50cnkiOiJJTCIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9YWlzJnV0bV9tZWRpdW09YXBiIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNjgyNDA4MzY5Ljg4ODUiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTEyLjAuMC4wIFNhZmFyaS81MzcuMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJvcGVyYWd4IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiYWlzIn0sInV1aWQiOiI2M2ZkNTRmNy0xZjBiLTQ0NDEtYmNjOC05ZTI0YzFjZDM3ZjAifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A805000000000000
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe
    C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=97.0.4719.84 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2c4,0x300,0x6e17b3f0,0x6e17b400,0x6e17b40c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1512
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0xb94f48,0xb94f58,0xb94f64
    3⤵
    - Executes dropped EXE
    PID:8

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Manipulates Digital Signatures
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
4.2MB

MD5
0633a436f5adda62b3ee1972dd4be7e9

SHA1
33ab985b059b8fa36cedb1c9c4adcbf12f492a6c

SHA256
202ec6230eb774a91ed73cc92e4a00829ae49d11fd35ab1cf62c0cd91b4cbc19

SHA512
8c92cc3fb71582c045a03b96d5b4c65fc3bbcc0429aa8939642dbc005868868edee688a47300dcb137be04fd66549177375e09f5799e8314604adf6cb863f2a1

Download Submit
C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
5.4MB

MD5
a3f56208ca6efaa82e291778224c233d

SHA1
70ab46211511deff7b2821ce7a659ffe089d5b28

SHA256
7f359ee23822356ae9970d8ce622bd652c9a2398bc27267496d4beed036522ba

SHA512
58a7ae8a42503d0d727108540a87d1978e803397115fca5b8f39a166b3410914036840167e466e947ae5fb9c4692be3175f9a894f00d7e4ffef5d06117c45f1e

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
44018fcece5f173e4e931d1d681f8607

SHA1
302060adf3e797b6c5aa9dbeba755b640943268e

SHA256
68feaaf31b4cf0c3b1ebf5ecdf8f551914f0e50fadb38c23fcbb396b1808f8bd

SHA512
90afee634f07d8e8026e2f368e2036a93355f9ea6b8e420a05ff2ee069eeaa2147c5df50fcd996faf99837b4142dac76a70de64b967daf7511b17d7647d02dda

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
2.1MB

MD5
c2548ee73693cf2a4d7f50660981d6af

SHA1
c24c9ee18dc83d5feaadd0317667184b9229feba

SHA256
0e1146aabad078a29494c001f2995b051103ee4cbe4bdd05ac284a634d69ed65

SHA512
38661899c2d2edf2fde11a335fcbb60bbe7595a5e43ddd4ae6c7c9fb8ca5f4ead6acdd32c7ae5d28c0a6bcd768fe5e1fef188abca87cd3026a2a6769ffaebc2c

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
1.9MB

MD5
901dd09313852c88f90dcfb81fffb75e

SHA1
4ddaf3a8496396a5158abff1ea562b5b89834f54

SHA256
50d35082c360e1ce9a87da28592097bef49c79544d914c0007357b91f498e07f

SHA512
871c3a51e40a09b3d3264028a7296d253149427b65ff0293cee6bf6efe6aa3160acdf3117d3e4baabc5b9b661b465eeb5413bd728bacbf0063a0a5ad5e8b76a2

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
1.9MB

MD5
75be9fd892a83248a1e1f48ef7fe9387

SHA1
336c9e15adf047430df56bf3b54a4cd82b8b5195

SHA256
f4a501b50ed6dbf2c5ee880362e7cd121d5faa0cbb82563a6c87cd998a08dd96

SHA512
c273514842c9d51eee746d24cd396ae277b5f1ba54a579fca0aec247bafd41c1903926bf6cadf802a25adf67e5ad38659c30744b772e90b516f92166fa8e57f5

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
6.4MB

MD5
d151d17176f8678f0203f86aea74b054

SHA1
5a02426d8a24e859571756964bc49f9b9018f0b2

SHA256
418d618fa2f28727cfa539d360b763187a34f493a3c0e87c83e439b8e30d0a6a

SHA512
5b9998d1e36e22598a44274fa837184612a1ba7de8b928ae6a4b5fea07ddf6623f107a692d21ee8416307ec92e5d2dab3b87b121b55edef56f278e8b4e7f72c7

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
6.6MB

MD5
63d662f588613be0135b1297598c7b39

SHA1
3d9d794686e0fe293ceaae2b11cb6fd01585253b

SHA256
a68cc927c8efd995770aa85d423292f19cea161421272f2459e86dc2475fa93a

SHA512
d7d5f20503a5fed32de3fd8c784498cd7554c22833e84ad6a2a106ca62a9d930f9de91bc12c62d7f54ba5f73e7457d4f127a9f26189443d610a5fed844514039

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
4.5MB

MD5
6bbd719a9534d69d9b0c79da2572f678

SHA1
d9cff9c48a68ca8ec4c60eb434e490493ea032ff

SHA256
3fba6a2634ef6f1bdc2f41dfa0354935b19d5d4ffa54a80cb5a119250d9900a4

SHA512
ff4b8dfa591d797eb4232be37fad46b41fc82b2f3381e63b6e1c24d7b351fa812dbfcc2da903f0b31439c85d78f19ff2b6847e3070d843a73464bcf2ad52b617

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
641B

MD5
1903edc8f8cb0272923dfa5b2f7363ec

SHA1
bc5c3b30c7a55fe3320f9029b596a97e8eb0976e

SHA256
8f0074492c287ddbcb80de99ab0cfbf0726eb56fe4d1c0428b489268186bbcb7

SHA512
ed1dbbcc8b2616b654456d7efa16523f3242a01fa4ebcc7f321e3c48783bcf7e39883af5e901932e4105a8ada01d6bb8d69018eab77fd5b8148c154a860c18c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe

Filesize
1.7MB

MD5
0590096b914bbb24ed2e2c3504f6121e

SHA1
1745633cec0de039d75436ab096d4dcfc6c69e5a

SHA256
ceb07b9b44869f82ef696e125e23c63e92a134ff23ae7fad95a1e67043bf1aa2

SHA512
676ad213111bb347402c91ce492b7b529ba570e2e3f14c8f8592d8951b8d93823a02280c2d122e4da4d1f2c00e9e19cef921b8a0485090d0531bf082dee7073d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202402201341351\opera_package

Filesize
4.4MB

MD5
25ede566897ac03fb4603efd236228e0

SHA1
00bd25bfebec8c35717489aa2e6dbe53f13570cc

SHA256
e403254eea33860f3976a171660f8e04c426db6e12ff16facfea307c8854cd8d

SHA512
8413d287e1a620c1bbe3bd5e50c8e8f38d70bb37e68ee7a5825ba939735318aad0853f3c1dbccdf23c920202c54f02f18381ccbb085823a4ab0d4e13d0b86b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\FolderProvider.dll

Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\GenericProvider.dll

Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
22b4a3a1ec3b6d7aa3bc61d0812dc85f

SHA1
97ae3504a29eb555632d124022d8406fc5b6f662

SHA256
c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

SHA512
9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\GenericProvider.dll.mui

Filesize
5KB

MD5
d6b02daf9583f640269b4d8b8496a5dd

SHA1
e3bc2acd8e6a73b6530bc201902ab714e34b3182

SHA256
9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0

SHA512
189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4F1A771-BFCE-479C-9F80-85089C83422C\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe

Filesize
3.4MB

MD5
184e818b7e543ccedbeb99c4ceca2b0d

SHA1
1e967197b197166f34b63b57e35f38572967f257

SHA256
7ae3a2f53d2839c640b052d4bf276747fee3892f8028f68a9064c505b4d823f6

SHA512
4a9d06de5fccea8d1e30fca63fbf6f039cabe7c50925017a6b74f98e0112f5e05c780d47924cec328f0e175b9c1bc84e778d1cb1a6e264b0e9ea04902f7d04b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe

Filesize
1.4MB

MD5
a68ac9ae013e8cccdec0cd853c3b38f3

SHA1
86aa57435ba4f3222e23025841baf099b968de61

SHA256
365b6fba61e706cf93cdaf9449341e6040ca828bb218aadeb0ea6855afed5157

SHA512
d1469df27e68dc317bd46393f6608e223acc9f6ea58af2b46bd60d0e37c8baab46fdf5bd3c56b79cf9e5f334842f3cc6e9489a8af3d24967d93c6b9f4bbae167

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe

Filesize
1.6MB

MD5
dcf927bf1d55db09501556202b855013

SHA1
3a1b13cc8181331af9536ec9c6eea0f51dc96640

SHA256
388ae6d0e696faa88f059cd842ac7be4716b3d71b7f4dca6eef6175ddf7b5feb

SHA512
79ca15f9c39b97c537a7fbd846d460095668c498ab2e8ecda1bdfd4ac71a94e51142058579af4ec6dcec136fd9db5e196c00a5838ec65931f202353c3ff2a77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe

Filesize
2.3MB

MD5
1bda5abcc616ec4c761d9f3340f227ad

SHA1
dc68c2592b13ee60f3327a49c8aa609b76dc1769

SHA256
03fb192589bb6eb2f98a5bd2c6e61531a71f79a7bd234425a00bd65c67c2db11

SHA512
ce25961725acb9e0492d0558d20774fdf8bbc9904ee93027f07bb9d08e0ba8b80f52af62a5b46c394c72d946b4aa806ad8bb6c155e79fc1fc80572898fdafb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\OperaGXSetup.exe

Filesize
2.0MB

MD5
95849f0f8add3f9a8d33b8bdf66087ed

SHA1
49bc10c486be5745050ed9b35fea2cfb10b8ff1d

SHA256
010cf4ddd65c41e600d15bd6a991d0ffe16f2d61033187ac6103948d990e3ec7

SHA512
c62d829a5cda48455a00c57db291187f0d6498803cd4f9e9675a385f5ffcf32f901c242b558f138925a0caf55c71c5dbe99b4938dbad9fd9a17d0c69b81f8158

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402201341314564488.dll

Filesize
3.0MB

MD5
7821c47489892d8fcf87b14b7ca15f44

SHA1
db548f6828755923c94a39ec3c7091b44394c242

SHA256
221be02ba2424e0b3d68bb97207647d58b54ba77e5d3b4d4f33abf2ba1aaccf9

SHA512
4d7edacf0d69e7fe2f2b87ea302870221e78101a0af5a7223cd20e15eafb0002484c5e338709e0fc7d7e897eb7984f87eaaf7d03dd6b09a0ec324b44a6fe50cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402201341319872752.dll

Filesize
1.5MB

MD5
5e2cc15abe7e4fab3fa258bc266422bf

SHA1
d5f9c0b2be51a3da132b283eaafdf9ef55e9164a

SHA256
897e0678ac957b09e4b153d6fffed1e9dfae747433c58fb6c44a0a92322a8002

SHA512
747ca9e3568fd9a8ed715306799cd82544100b53cb77fe659922172b98ffbf58601c3bfac02bdfffa03db4e1ae2d1113cf8960d5df7f002baad4b1d664a53119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402201341336433884.dll

Filesize
1.4MB

MD5
7fc998d21e000881049d944046725b07

SHA1
f540394d7c5a606c836642acb225ff29eb7ed8b2

SHA256
6c443ffc14dc5f0f400cb0bc20fb7563130996084a6dde227e8736a0e3ec0648

SHA512
6ce635772469eff39e00fbf1f0f122eb2014885070df3c58405f80c4e66c66f390237262bc50b7770befd98df3970358764271e14c906d55fab5b68503f86e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402201341355651028.dll

Filesize
1.6MB

MD5
5f04cdc025912a8af5d108d87a669751

SHA1
4fcd95c1b723b46491fdc3483443f7fad739761c

SHA256
20df9586a34edb0bfe9ada1e20bbd052811c30651f14ea380e9efbe1a3dd35c3

SHA512
67912b565dd2aab3b18da188bef17ce4df88d7de3bce3e4dbb3031804f0f2c3ecaee864e517ec40adec27c79b12c4dd8fe8e9058e241bea8a9604e197367a9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402201341360811512.dll

Filesize
1.2MB

MD5
35ccd422d55e60770d1560959999dc50

SHA1
a6fc09302e1405f378580cbbefafd99f49a280ad

SHA256
e3a8e4f9827647c819625a1394bb201f786c5f6bc1191c6e507e9bb6d0d146ce

SHA512
501bac2a99d19ff74bf8e124dc724008e32c320b332cb9925cdf31aedd8d076ce43da762536353f58a08f62083e17db8222e9dd349dbd57afccd98172e178e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
67KB

MD5
7d5d3e2fcfa5ff53f5ae075ed4327b18

SHA1
3905104d8f7ba88b3b34f4997f3948b3183953f6

SHA256
e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4

SHA512
e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcripurr.a25.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
bea3f1f2a0559af39b138078dec99b53

SHA1
3a2ecc99dcd5a4071dbb5fdd63d8e81e91669552

SHA256
85c1f728c94c72ecb1a411e336607e296f11a03fee9133e064c7245f54d258d4

SHA512
8eb9d75107140b9a36226e3a8e9c4fbbb288662477f75970fb765f3327990c32b40e49342ceafb99a69fbb6783fbab17069dd3dcf4c01923fa6b5463863962a2

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
206KB

MD5
9c26f9dad89fb1b20028931697582af7

SHA1
61775bb6d4c61c681a818a3d5258186c66cde208

SHA256
6c492e34bcd297f708a3e073517184d9d6e33a67847a9ff5fd05f7a71e57fda6

SHA512
ba54dfe360de045d6874c7f99a8c00b727481cd94d81c8c983427906c7144dd416f84157037caca5c9b9164794873b5fa46c965152da2a4406b84a0fa335e5c1

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
246KB

MD5
bf726530add3edf63e1742ff6c19e442

SHA1
13eee1d9608cf06b3eb398fd792b40b23e21cfbf

SHA256
bc173381c8cc069d924ebb0b5528afe6944c7c22f17fd80a6bb12e43d3594297

SHA512
8a8c709e709f9792c553057cca3a952211f8024624a8b3dea01b00ef9f8e4b20de4b60c2a3dede60b3b9bd55a8bcae1359de447dbd1ba60ffc6e619ad282cb65

Download Submit
memory/1028-72-0x00000000003F0000-0x00000000009C9000-memory.dmp

Filesize
5.8MB

Download
memory/1512-82-0x00000000003F0000-0x00000000009C9000-memory.dmp

Filesize
5.8MB

Download
memory/2176-19-0x0000000009040000-0x00000000095E4000-memory.dmp

Filesize
5.6MB

Download
memory/2176-18-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/2176-27-0x0000000008BA0000-0x0000000008BAA000-memory.dmp

Filesize
40KB

Download
memory/2176-25-0x00000000064C0000-0x00000000064D0000-memory.dmp

Filesize
64KB

Download
memory/2176-28-0x00000000064C0000-0x00000000064D0000-memory.dmp

Filesize
64KB

Download
memory/2176-24-0x000000000A690000-0x000000000ABBC000-memory.dmp

Filesize
5.2MB

Download
memory/2176-38-0x00000000064C0000-0x00000000064D0000-memory.dmp

Filesize
64KB

Download
memory/2176-23-0x000000000A0F0000-0x000000000A156000-memory.dmp

Filesize
408KB

Download
memory/2176-12-0x00000000064C0000-0x00000000064D0000-memory.dmp

Filesize
64KB

Download
memory/2176-22-0x000000000A050000-0x000000000A0EC000-memory.dmp

Filesize
624KB

Download
memory/2176-21-0x0000000009F70000-0x0000000009FB4000-memory.dmp

Filesize
272KB

Download
memory/2176-20-0x0000000008C30000-0x0000000008CC2000-memory.dmp

Filesize
584KB

Download
memory/2176-16-0x0000000005F20000-0x0000000005F34000-memory.dmp

Filesize
80KB

Download
memory/2176-26-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/2176-17-0x0000000073A30000-0x0000000073A44000-memory.dmp

Filesize
80KB

Download
memory/2752-53-0x00000000003F0000-0x00000000009C9000-memory.dmp

Filesize
5.8MB

Download
memory/3884-68-0x0000000000DD0000-0x00000000013A9000-memory.dmp

Filesize
5.8MB

Download
memory/3884-67-0x0000000000DD0000-0x00000000013A9000-memory.dmp

Filesize
5.8MB

Download
memory/4488-47-0x00000000003F0000-0x00000000009C9000-memory.dmp

Filesize
5.8MB

Download
memory/4992-1054-0x00000000045B0000-0x00000000045E6000-memory.dmp

Filesize
216KB

Download
memory/4992-1058-0x0000000004D50000-0x0000000005378000-memory.dmp

Filesize
6.2MB

Download
memory/4992-1079-0x0000000005640000-0x0000000005662000-memory.dmp

Filesize
136KB

Download
memory/4992-1081-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/4992-1082-0x0000000004710000-0x0000000004720000-memory.dmp

Filesize
64KB

Download
memory/4992-1080-0x00000000730E0000-0x0000000073890000-memory.dmp

Filesize
7.7MB

Download
memory/4992-1083-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download