Analysis
-
max time kernel
257s -
max time network
267s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-03-2024 12:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.ldplayer.net
Resource
win11-20240221-en
General
-
Target
https://www.ldplayer.net
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\Dll = "cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "WVTAsn1CatMemberInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustInit" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "WVTAsn1CatNameValueDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" regsvr32.exe -
Possible privilege escalation attempt 5 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 6336 takeown.exe 2720 takeown.exe 2556 icacls.exe 6440 takeown.exe 5604 icacls.exe -
Executes dropped EXE 5 IoCs
Processes:
LDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exepid process 6976 LDPlayer9_ens_1001_ld.exe 5848 LDPlayer.exe 4684 dnrepairer.exe 2540 dismhost.exe 6916 Ld9BoxSVC.exe -
Loads dropped DLL 64 IoCs
Processes:
LDPlayer9_ens_1001_ld.exednrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 4684 dnrepairer.exe 4684 dnrepairer.exe 4684 dnrepairer.exe 4684 dnrepairer.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 2540 dismhost.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 6916 Ld9BoxSVC.exe 5588 regsvr32.exe 5588 regsvr32.exe 5588 regsvr32.exe 5588 regsvr32.exe 5588 regsvr32.exe 5588 regsvr32.exe 5588 regsvr32.exe 5588 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 3432 regsvr32.exe 536 regsvr32.exe 536 regsvr32.exe 536 regsvr32.exe 536 regsvr32.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 6440 takeown.exe 5604 icacls.exe 6336 takeown.exe 2720 takeown.exe 2556 icacls.exe -
Registers COM server for autorun 1 TTPs 17 IoCs
Processes:
dnrepairer.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 dnrepairer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\"" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 dnrepairer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 dnrepairer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 dnrepairer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 dnrepairer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 dnrepairer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free" regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
dnrepairer.exedescription ioc process File created C:\Program Files\ldplayer9box\VBoxTestOGL.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxNetLwf.sys dnrepairer.exe File created C:\Program Files\ldplayer9box\tstInt.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\libcurl.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\dpinst_64.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\padlock.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5Widgets.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\capi.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetAdpUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\SDL.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\ldutils.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxAuthSimple.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\platforms\qoffscreen.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxC.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSampleDevice.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-filesystem-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\msvcp140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDD.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\vccorlib140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5OpenGL.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxCAPI.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\msvcr100.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-errorhandling-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\ldutils2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9VMMR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9VirtualBox.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\platforms\qminimal.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDbg.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-rtlsupport-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\vbox-img.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxStubBld.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxVMM.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSup.inf dnrepairer.exe File created C:\Program Files\ldplayer9box\NetFltInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\USBTest.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSVGA3D.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES_V2_utils.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\dasync.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\libssl-1_1.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys dnrepairer.exe File created C:\Program Files\ldplayer9box\USBUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\NetAdpInstall.exe dnrepairer.exe -
Drops file in Windows directory 2 IoCs
Processes:
dism.exedismhost.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 6280 sc.exe 2928 sc.exe 3632 sc.exe 436 sc.exe 1960 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 6148 taskkill.exe 5808 taskkill.exe 6340 taskkill.exe 6252 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133537685589981452" chrome.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exednrepairer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ = "IFile" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\ = "IGuestMouseEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-800A-40F8-87A6-170D02249A55} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 dnrepairer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\ = "IConsole" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9}\ = "IDirectory" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\ = "IStringArray" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\NumMethods\ = "51" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-402E-022E-6180-C3944DE3F9C8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E67-4144-BF34-41C38E8B4CC7}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E1B7-4339-A549-F0878115596E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}\NumMethods\ = "15" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC}\NumMethods\ = "22" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C8E9-466B-9660-45CB3E9979E4}\ = "IExtPackManager" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}\ = "IGuestUserStateChangedEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\NumMethods\ = "24" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00C2-4484-0077-C057003D9C90}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6FA-430E-6020-6A505D086387}\NumMethods\ = "34" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\ = "IProgressTaskCompletedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E72-4F34-B8F6-682785620C57}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2354-4267-883F-2F417D216519}\NumMethods\ = "18" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7997-4595-A731-3A509DB604E5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-71B2-4817-9A64-4ED12C17388E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\ = "Session Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\ = "IProgress" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80F6-4266-8E20-16371F68FA25}\NumMethods\ = "14" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7006-40D4-B339-472EE3801844}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8690-11E9-B83D-5719E53CF1DE}\ = "IDisplay" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\NumMethods\ = "19" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E87-11E9-8AF2-576E84223953}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CurVer\ = "VirtualBox.Session.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9B2D-4377-BFE6-9702E881516B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe -
NTFS ADS 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier chrome.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
chrome.exeLDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepid process 708 chrome.exe 708 chrome.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 6976 LDPlayer9_ens_1001_ld.exe 5848 LDPlayer.exe 5848 LDPlayer.exe 5848 LDPlayer.exe 5848 LDPlayer.exe 5848 LDPlayer.exe 5848 LDPlayer.exe 5848 LDPlayer.exe 5848 LDPlayer.exe 4684 dnrepairer.exe 4684 dnrepairer.exe 3928 powershell.exe 3928 powershell.exe 2720 powershell.exe 2720 powershell.exe 2720 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs
Processes:
chrome.exepid process 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exeLDPlayer9_ens_1001_ld.exedescription pid process Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeDebugPrivilege 6976 LDPlayer9_ens_1001_ld.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 6976 LDPlayer9_ens_1001_ld.exe Token: SeCreatePagefilePrivilege 6976 LDPlayer9_ens_1001_ld.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe Token: SeCreatePagefilePrivilege 708 chrome.exe Token: SeShutdownPrivilege 708 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
chrome.exepid process 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe 708 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
LDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exeMiniSearchHost.exeLd9BoxSVC.exepid process 6976 LDPlayer9_ens_1001_ld.exe 5848 LDPlayer.exe 4684 dnrepairer.exe 6180 MiniSearchHost.exe 6916 Ld9BoxSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 708 wrote to memory of 2712 708 chrome.exe chrome.exe PID 708 wrote to memory of 2712 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3564 708 chrome.exe chrome.exe PID 708 wrote to memory of 3708 708 chrome.exe chrome.exe PID 708 wrote to memory of 3708 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe PID 708 wrote to memory of 2920 708 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.ldplayer.net1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4f109758,0x7ffd4f109768,0x7ffd4f1097782⤵PID:2712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:22⤵PID:3564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵PID:3708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵PID:2920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3236 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:2432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4840 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5732 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵PID:4336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5864 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵PID:4000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5292 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5780 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5736 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6568 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:1888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6580 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵
- NTFS ADS
PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6744 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6900 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵PID:5060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5080 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵PID:3224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=7120 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5076 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=7260 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7288 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:3508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=7324 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=8240 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4840 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6768 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=7036 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:6000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=8552 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:6100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=8424 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:6108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6948 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6936 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:2312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=8272 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=8544 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:3224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=8564 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=8908 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=9292 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=9488 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:6012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8728 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:4088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=9452 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=9840 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:6020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=9848 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=10220 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:6284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=10376 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:6292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=10556 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:6444
-
-
C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6976 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnplayer.exe /T3⤵
- Kills process with taskkill
PID:6340
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayer.exe /T3⤵
- Kills process with taskkill
PID:6252
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayerex.exe /T3⤵
- Kills process with taskkill
PID:6148
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM bugreport.exe /T3⤵
- Kills process with taskkill
PID:5808
-
-
C:\LDPlayer\LDPlayer9\LDPlayer.exe"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5848 -
C:\LDPlayer\LDPlayer9\dnrepairer.exe"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=3280604⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4684 -
C:\Windows\SysWOW64\net.exe"net" start cryptsvc5⤵PID:1780
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start cryptsvc6⤵PID:5628
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Softpub.dll /s5⤵
- Manipulates Digital Signatures
PID:456
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Wintrust.dll /s5⤵
- Manipulates Digital Signatures
PID:1072
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Initpki.dll /s5⤵PID:5844
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" Initpki.dll /s5⤵PID:4216
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" dssenh.dll /s5⤵PID:4008
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" rsaenh.dll /s5⤵PID:3940
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" cryptdlg.dll /s5⤵
- Manipulates Digital Signatures
PID:2232
-
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2720
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2556
-
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6440
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5604
-
-
C:\Windows\SysWOW64\dism.exeC:\Windows\system32\dism.exe /Online /English /Get-Features5⤵
- Drops file in Windows directory
PID:6784 -
C:\Users\Admin\AppData\Local\Temp\4158258D-5C9D-4F6E-A485-216AD6DEC417\dismhost.exeC:\Users\Admin\AppData\Local\Temp\4158258D-5C9D-4F6E-A485-216AD6DEC417\dismhost.exe {12CE8E5F-53B9-4D18-945D-175E24B42227}6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2540
-
-
-
C:\Windows\SysWOW64\sc.exesc query HvHost5⤵
- Launches sc.exe
PID:6280
-
-
C:\Windows\SysWOW64\sc.exesc query vmms5⤵
- Launches sc.exe
PID:2928
-
-
C:\Windows\SysWOW64\sc.exesc query vmcompute5⤵
- Launches sc.exe
PID:3632
-
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6916
-
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s5⤵
- Loads dropped DLL
PID:5588
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s5⤵
- Loads dropped DLL
PID:3432
-
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:536
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s5⤵
- Modifies registry class
PID:4984
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto5⤵
- Launches sc.exe
PID:436
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" start Ld9BoxSup5⤵
- Launches sc.exe
PID:1960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow5⤵PID:6372
-
-
-
C:\LDPlayer\LDPlayer9\driverconfig.exe"C:\LDPlayer\LDPlayer9\driverconfig.exe"4⤵PID:6552
-
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6336
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=1548 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:12⤵PID:5344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8164 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵PID:6424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9192 --field-trial-handle=1820,i,14938324052363521531,10465075147338136788,131072 /prefetch:82⤵PID:6396
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4732
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵PID:2332
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:6180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:5524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.0MB
MD58227ed47780486cdbe956e7ad33df1d9
SHA1f74f1eb7adaa10b8a7df15b0cf25e03ebc92edfc
SHA256ce7d4631067528d28d497ecb4ae9ed82a6141fa74fc6d636622b2b24cfb82db3
SHA512373cae09473a791b40c151d83e6b0e83921c953e5662a9cdfdb79290851c332b6c6a30252a6a491c6b54de48d052856057f996d84e5f92f0a62e91b44763e5b6
-
Filesize
17.3MB
MD57504dca5f3015a27ca91b7689133de24
SHA1daa090893800a3b0ccc857dc41b38753973eeb86
SHA256e4ca0d96f0767163a029d02c2da2220b39f9b469ba0646e8969ab908ba6c1609
SHA5122fdd61f917f4ed29f1ed618581a524b0ea5cda4e2d4b5594a79b48b7bec87f73dfd4da4084a2ffe791e55f7c05dbe306d96ed7049800eb19aead02cb17a86612
-
Filesize
444KB
MD550260b0f19aaa7e37c4082fecef8ff41
SHA1ce672489b29baa7119881497ed5044b21ad8fe30
SHA256891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA5126f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d
-
Filesize
51KB
MD566320b2085eaef1c436f6940b4bb8822
SHA16e92774138f43129a209c3fc80839c7726e9644d
SHA256e7e8225ea6879d0e24be299dfb07b42876157b221e2c01ede29b6da675e830e0
SHA5122a66ed15503c57059dab50128c5d1167f8afd152d5cc84383472db41224bddc4552a9a69a3f59bd820d42fe68a73f45cc5f00a3df3f8172ac744cc432cea4b54
-
Filesize
832KB
MD55dcf8d780e459e5f762758ac944da6d5
SHA1d814802920dda4ff3f57a02ee160cae209dd0341
SHA256ae83bc84e2641397c3054e831f94c2026dbd731a3f3802faa621f70d5a466e5a
SHA512300cc28f200f1a9fa10b890b2bc4f31e7b0c9c999592bdec9a0165e36bf123acb9250312eb018f1c3aa7817c90ebc63743071a55f8c044efad55880a18e39cca
-
Filesize
768KB
MD5807a63d58893ea5fa5fc3a0dc55f7680
SHA17258bef87727428abead13c876fc22a70beeab87
SHA2560f7b749863b1a0f52fdd8eabc305eecdd3090c58ec27ca357384d308f7c10c86
SHA512e7430c24a50dd5dfb6ecbcecdcc17847bc7cd5ee842e5bd301744853d1bdf89adfefb1f45200b1218a6250aa1862e06b6f681f15b7e892a8902485b98844f574
-
Filesize
6.4MB
MD56af0dafebc2759d1737b9a579dd6c2cf
SHA1290ec92da5595a1d0356fc535ee3213d9b857cd1
SHA256808b790089d768d6f8e0529a76a9c3b883a4ef288ba8355a902959b416042bf2
SHA512c3247e1e402189f20d68bb8a5b93d8471018c37f837a3f41d6b3e96c7001659392a1a42f90784897b3ed9b9b6cbfd84e1bcb0f771ec4d9f7ae9e082c89267713
-
Filesize
7.3MB
MD5faf9fb34f52626ab36fcd8fc97b5e22a
SHA1baf678a51bd6c3a4d6bc4b1d20381a53a63492bf
SHA256c791d028985bf99ad5bdb9dbf85d12172800344b52ed590d9b4170a8dd9bb28a
SHA512184fc827f8899042aab92675d349255c384a17725b03a63b46f93375beb5954599759a71e8892fc2049f5da15f8cc81766b0a84320a79edecb16781cead87c34
-
Filesize
5.0MB
MD5f845753af4cc7b94f180fb76787e3bc2
SHA176ca7babbb655d749c9ed69e0b8875370320cc5a
SHA256a19a6c0c644ce0e655eaf38a8dbddf05e55048ba52309366a5333e1b50bde990
SHA5120a3062057622ffcff80c9c5f872abdf59a36131bfc60532c853ea858774d89fed27343f838dfe341dafe8444538fc6e2103d3aa19ef9d264e0f8e761c4bfce81
-
Filesize
320KB
MD5fcaf8c8f56d181851fd49e8fd09198a4
SHA1f3f47b5512b6af4b1947c176b95a8f93d1e0113e
SHA256cf5b3f4e767fef0b9b5f130f9da9e7d32551f0808676ec67332999f5209a3364
SHA512abafbc67efae45a7c015846cf04d85070c9cd8216d753295437cd97abc3a634cf3fd4a1c493a6a24810f17ea45adfe382b55001cc5996e79687bee8ef22e6be6
-
Filesize
103KB
MD54acd5f0e312730f1d8b8805f3699c184
SHA167c957e102bf2b2a86c5708257bc32f91c006739
SHA25672336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA5129982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837
-
Filesize
652KB
MD5ad9d7cbdb4b19fb65960d69126e3ff68
SHA1dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7
-
Filesize
1.5MB
MD566df6f7b7a98ff750aade522c22d239a
SHA1f69464fe18ed03de597bb46482ae899f43c94617
SHA25691e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f
SHA51248d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e
-
Filesize
2.0MB
MD501c4246df55a5fff93d086bb56110d2b
SHA1e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA51239524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196
-
Filesize
442KB
MD52d40f6c6a4f88c8c2685ee25b53ec00d
SHA1faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA2561d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA5124e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779
-
Filesize
192KB
MD552c43baddd43be63fbfb398722f3b01d
SHA1be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA2568c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA51204cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28
-
Filesize
511KB
MD5e8fd6da54f056363b284608c3f6a832e
SHA132e88b82fd398568517ab03b33e9765b59c4946d
SHA256b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd
SHA5124f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b
-
Filesize
512KB
MD550cfd0e38ec9759dc590012474f01d4a
SHA1742566a9e07b0f867ea59dcf2c740bc5c5a2884a
SHA2569b9d907f94e7aa38bc4d059dab23b63a7b5d2aadc1592c461d4d74cfe121b9a7
SHA51226df5e6b99bc67a9bcb411eb5c448dba3c3a2714536dd51a241026e3e3d0da8bf3c9563204ad609bc1af030855fa3d3b97604cf8d50e9b7c3443aa35e53f0c5c
-
Filesize
448KB
MD58dc24b8d106e5050cd7ba09f4864e702
SHA1ec608e615f6e85498b7bc4d63cd1f9c7aeca57b0
SHA25638a80d7379e070339a2409dd806857677d6868e4db3ade8d00be49125817d504
SHA5124f9397c98918846c7c2f9c2a84d17f45f3679bffa8a0eccf9a1aed5eaaaf7c8919696616b638339466e6d86bea7cc712e267b8853ef43fdb30c009377ff209f4
-
Filesize
283KB
MD50054560df6c69d2067689433172088ef
SHA1a30042b77ebd7c704be0e986349030bcdb82857d
SHA25672553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0
-
Filesize
947KB
MD550097ec217ce0ebb9b4caa09cd2cd73a
SHA18cd3018c4170072464fbcd7cba563df1fc2b884c
SHA2562a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058
-
Filesize
1.2MB
MD5ba46e6e1c5861617b4d97de00149b905
SHA14affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA2562eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6
-
Filesize
768KB
MD55441524aba9dd4a6c472c47ffc9cb17d
SHA1884c19580af7ce7403ad41dec2c5c5f8880e1442
SHA2567ec6c65ce8fd21ceab1ee27f516656ee5c0123b4bab527959046570fc9d31fe1
SHA512ca419978c067feb2d38bacd565a6352d9b760b37b54695d2afb9d6a6cf184145c5a75a873f960b616d5d30fff39c215def1d9f9f4ab630f04c81742a397501c7
-
Filesize
3KB
MD5753c4b02dc54f4d784052b1413938f9f
SHA1a8c9601870213662761f283dc95661b70e6f1cb8
SHA25644c4820b173d02f99352df6b0e86a44e26f36d8577ed0c629c582c6e390ae714
SHA512acc4714908e8a45b61120ffbcc71402f40de6839b5dd69a682ba5a65c041aaae55c46664f7cd1c1210a7c058bdd43430abe96454f8864d8bebee0d0802b7fb59
-
Filesize
3KB
MD51b783429b3537980fc9fd60a0d0d5a60
SHA1ef95a979396c8b2a1fcc9dda8a15f3c8049217c0
SHA256e605afa3e26a13d4242fbd6f6b8e94a5a1d19b4e9a0ab5d9e3393fec62e47aca
SHA5124a8d3405c264445cf4e7a76b25126db8fe3d19821389203dbce87543702cc14a6e75b83af94a75250ce7cacc0eac3edd3918b4c1b75769f4911ea487af5d7fe8
-
Filesize
264KB
MD59b092aa8a74158f141cd368ff1f879d9
SHA1e44cc975d93db93d2c18e98e4a4d356bd7c991b7
SHA256375a7ee89eff38ad598162e4ee8df3c742e466fe607f9bdeb49adbcf67bacd52
SHA512e5e32d17d112d894f482b7872a833780673ad9c405444a3150f3a2d12362a83d220c371ef29e9c2d2ac026800c68cb0125cdd9cb7eaf4d01197abd440bc7b676
-
Filesize
15KB
MD50664e590e3151026923c5c2375feac73
SHA14c99a033c299ea0c7039a6f9de0fb89480b92a01
SHA2565ae0985ae8e86dfb2ebbc23c42572e3d3b209279936d8f0c967eb456387c3d3f
SHA51267d41668a7ff619591044e6bd7b4eaa3b390765bc9448c474fac4b3244156932526d336804aebe1a537eff08c722e87982d6d8e92d460ee41e75367d8e54bc17
-
Filesize
3KB
MD524158276d5f37bc3a2aaa4151485768a
SHA16b4ee35616dc18d173d718268996ad628af133f4
SHA256decce8beece2c2fd38ad2e6b76a4269af5ab0fdf5bfb5a05e9d5715efec85427
SHA512043245a831422397f5674950a379c972b7886ac70b591e111d01c6e10e349a92940cdea0c409fdaff2ec485e6c05b4a1bb7f4903bc515cb8cecce31a3204a1c0
-
Filesize
4KB
MD593b3aa51f65c49c613bbde6a7d39f89f
SHA198bbcf3bcfbdef6c2bf8f43091b685deba394639
SHA2566df9c56c448825930dbf69f8001b067c9cb1aa2bcea7dd42d005ac5e1146a9fe
SHA512e4dbf0ce86d97c9021e63a3075396d0d05ec9e8c2979e8e29c849e5a408740a2c10b50c3b6119ff98acb2d59063de77fca6ca0cf83bb214f7ee129973b930aaa
-
Filesize
4KB
MD5d3cdbb5785811e3da15f1ac265ed3583
SHA1b0641d31123ed582d078386e41d9eaa1f1278c63
SHA2562fc5a25b9d8be73f40b23a7c4ac2f54949a54a0ba513962f89dc8cf399d9d340
SHA51250ec5129c6589ad9ede861c9af75da695bca1a9acc1a20f6319e5f8a5a3ea54a4c99ca0551a2f8a04620b3c8b955c48354c59bd7eb40709e94b803d9e8783a3b
-
Filesize
6KB
MD5615cfc8eb2cbc61bcc4bd83d5ca09333
SHA1cd9da17997ec70f4f9e010607e9cf02e2f68b416
SHA256cad015c4d87ef2df6a972f05f036a64a9db90025d06cc19cfe5dbb73a32bdeb2
SHA5123c34f9640639bbb55dad978661b0626c451d6c84bd80ba3a8c01b1948191b9a3e7c5d7e5630d82cdc8e73dfd95e745315359c92964d38b4842c0dffd4b9c1035
-
Filesize
6KB
MD55a1c1f250c322a8d25d085c2e243edba
SHA1dcf9783c1a826b09c7848edb11b530126f6a7ed9
SHA256a70a23cec01b32f62bc0077d2567ac7f491f1acc8cae53cb745a5c8bf4c4d9a3
SHA51215420262b855983e6f4e4fff11198ec2e099299b6e10d7cf0666e92f518ae8c50d201555717188bbdf257335ac2bfb8dd016dfbe9673a27955f26bbf862b328f
-
Filesize
6KB
MD5a2b5135895ce40bbc16c725bdd0ee04e
SHA12c322bf32658f871d5444eb372ad58a578936974
SHA25691bfc34f5b08e35d970dacbffcd794f1ec74f677cb0b4152e4a3a293faab7a5e
SHA512db8fa0285de3ad6031ed23bc545022f14c2d96c85b1897beab1df9e83fce2e36aa9461b0a02ad987b707f285e1b164631842d31d1ca1b3d4a9d3025c52a1756a
-
Filesize
130KB
MD536b4cfdc17e5cde6dfc4b86b296b0624
SHA10fd6ee0fb0685d38e44c89a8992beb10be9731d4
SHA256c7ea0c78fdd8971dd045a1047462281c0fd75523bbd11741b6352216d8d2e336
SHA512231d07624a6149f186e4464a1de2e013a35291375ee354c97bc4226b5ad33af359a3a54e1df469e216937bd7a29c2fc11017436ae72ffc7578b1ee4c399dc267
-
Filesize
130KB
MD56f30c3524011b77e534d12831ad7743b
SHA1ba9caf5f3e66ff538fb48d0744f516c9d79469f4
SHA256b0b26bdd17a5da9f44464beedf25f4b40a1f46d49c54a9bcde7ccb63004eabf7
SHA5125a7f90de8d06bde101cdaf9cf5c47222e7ad92f946f162b7118e7014b66936b095dd1ffc48fbf4e44e059eabe8ff9ed575550cd28bf4e01c107228799881e4e4
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
67KB
MD57d5d3e2fcfa5ff53f5ae075ed4327b18
SHA13905104d8f7ba88b3b34f4997f3948b3183953f6
SHA256e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4
SHA512e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
65B
MD5aa1a6ee83fb2aecbc03c74512c01a633
SHA167101e27c167a8133617eb0eb471bd38b3028f6b
SHA256a864bef0fac8025c02f7c7b249c4aa30e6bb983875ca7a53a71932c646ed0b42
SHA512a0fe23f852271a22c8938d643439b2eb7ceca1750ece46303a08909b0ba049748a02c43d3f60eb03bf158cf8dd25f8fd94553e4ef1e4b0c932a9e5a5a2d716f4
-
Filesize
3.3MB
MD57c2e5ef59e9589422bcd5bf3726fbcb1
SHA1c4dac6966ac4cd3500d6a7fe44138a0db639d507
SHA2566870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd
SHA51228870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45
-
Filesize
23KB
MD5b122ff44e44dde427b05ceb83f4baa2f
SHA1f08177aea49bb3ad9c5d5885a53de45c2c2a45cb
SHA256bce9026fc659b417291fa061266d63e163472ae75d5e95ff42e2962b81364f10
SHA5123f36924de02d8e4b779ec264a3b285be86b78e43377a18cecfc3a484b8b46aa5dc9ad280ac8f79d863d9070a941cd576c621f628fab2d44d2118a977cdc6a2eb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e