Analysis Overview
SHA256
e34fca44b8c042f1f9f5cb1bc2d8c8b762de1f49b16eb83d8f3a01a009d2009b
Threat Level: Likely malicious
The file LDPlayer64_ens_3064_ld.exe was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Possible privilege escalation attempt
Creates new service(s)
Modifies file permissions
Checks installed software on the system
Executes dropped EXE
Registers COM server for autorun
Launches sc.exe
Drops file in Windows directory
Loads dropped DLL
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Kills process with taskkill
Runs net.exe
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 00:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 00:27
Reported
2024-03-02 00:30
Platform
win11-20240221-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
Creates new service(s)
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Encode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayerbox\platforms\qoffscreen.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxSampleDevice.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\fastpipe.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxGuestPropSvc.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-core-debug-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-core-heap-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayerbox\msvcp140.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-core-file-l1-2-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\padlock.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\tstInt.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxSharedCrOpenGL.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-core-libraryloader-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-crt-filesystem-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayerbox\Ld2BoxDDR0.r0 | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayerbox\Ld2VMMR0.r0 | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-crt-private-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\ssleay32.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\VBoxProxyStub-x86.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\NetAdpUninstall.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxDD.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\EGL.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-crt-time-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\LdVBoxNetLwf-PreW10.cat | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxTestOGL.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayerbox\LdVBoxNetLwf.sys | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-core-file-l2-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-core-synch-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-crt-process-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-crt-runtime-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\host_manager.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxNetDHCP.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxVMM.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\USBUninstall.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\ucrtbase.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-core-processenvironment-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\vccorlib140.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\NetLwfUninstall.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayerbox\LdVBoxNetLwf.cat | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-crt-multibyte-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxDbg.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-crt-utility-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\concrt140.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\Ld2VMMRC.rc | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\msvcp100.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\NetAdp6Install.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxC.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-core-processthreads-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-core-rtlsupport-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\dasync.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\VBoxClient-x86.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxPlaygroundDevice.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-core-processthreads-l1-1-1.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-core-timezone-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\msvcr120.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\api-ms-win-crt-heap-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\msvcp140.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\NetAdp6Uninstall.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxRes.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-core-interlocked-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\msvcp120.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\Qt5Core.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\regsvr32_x64.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\x86\api-ms-win-crt-environment-l1-1-0.dll | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayerbox\VBoxAutostartSvc.exe | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\dismhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\dismhost.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayerbox\LdVBoxSVC.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\driverconfig.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-c9d2-4f11-a384-53f0cf917214}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayerbox\\VBoxC.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayerbox\\VBoxC.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayerbox\\VBoxProxyStub.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-26c0-4fe1-bf6f-67f633265bba}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer64\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayerbox\\LdVBoxSVC.exe\"" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-CF37-453B-9289-3B0F521CAF27} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-0C55-47B1-AA64-D340A396B418}\ = "IProgress" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-A161-41F1-B583-4892F4A9D5D5}\ = "IMediumConfigChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-7532-45E8-96DA-EB5986AE76E4}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20190809-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayerbox\\LdVBoxSVC.exe\"" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-AEDF-461C-BE2C-99E91BDAD8A1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-7966-481D-AB0B-D0ED73E28135} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-D612-47D3-89D4-DB3992533948}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-C380-4510-BC7C-19314A7352F1}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-4194-EC8B-C761-E1A99327E9F0}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-35F3-4F4D-B5BB-ED0ECEFD8538}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-E0A0-427F-B946-C42063F54D81}\ = "IAudioAdapter" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4FE4-AAF6-91C5-E9B8EA4151EE}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-BCB2-4905-A7AB-CC85448A742B} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4022-DC80-5535-6FB116815604}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-5637-472A-9736-72019EABD7DE}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CLSID\ = "{20190809-47b9-4a1e-82b2-07ccd5323c3f}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-25DD-4719-AB34-C908701EFB58}\ = "IVideoCaptureChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-8F30-401B-A8CD-FE31DBE839C0}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-E0A0-427F-B946-C42063F54D81}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-E64A-4908-804E-371CAD23A756}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-92C9-4A77-9D35-E058B39FE0B9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-80E1-4A8A-93A1-67C5F92A838A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20190809-1750-46F0-936E-BD127D5BC264} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-AEDF-461C-BE2C-99E91BDAD8A1} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-4453-4F3E-C9B8-5686939C80B6}\ = "IGuestProcess" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-80F6-4266-8E20-16371F68FA25} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-3FF2-4F2E-8F09-07382EE25088} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-E64A-4908-804E-371CAD23A756}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-5637-472A-9736-72019EABD7DE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-921B-4F2A-7801-0CC5EC28CDAE} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-2D12-4D7C-BA6D-CE51D0D5B265}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-5637-472A-9736-72019EABD7DE}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-B4A4-44CE-85A8-127AC5EB59DC} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-1A29-4A19-92CF-02285773F3B5} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-3618-4EBC-B038-833BA829B4B2}\NumMethods\ = "25" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4194-EC8B-C761-E1A99327E9F0}\ = "ISnapshot" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-402E-022E-6180-C3944DE3F9C8} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-C71F-4A36-8E5F-A77D01D76090} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4737-457B-99FC-BC52C851A44F}\NumMethods\ = "15" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-BCB2-4905-A7AB-CC85448A742B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-4438-8657-E78E-80A40713A23C} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-4C6B-239B-A846-C4BB69E41038}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-3CF5-4C0A-BC90-9B8D4CC94D89} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-47AE-EE34-C2FE-53A16E388925}\ = "IMachineDebugger" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-83C7-4F2B-A323-9A97F46F4E29}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-E594-4E18-9222-B5E83A23F1DA}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-44CB-E334-66FA-469A17FD09DF} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-AC97-4C16-B3E2-81BD8A57CC27}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-B45C-48AE-8B36-D35E83D207AA}\NumMethods\ = "24" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-B7F1-4A5A-A4EF-A11DD9C2A458}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-E191-400B-840E-970F3DAD7296}\ = "IPCIAddress" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-4438-8657-E78E-80A40713A23C}\NumMethods\ = "24" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20190809-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32\ = "{20190809-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4B0A-10BC-9C2B-68973052DE16} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20190809-4430-499F-92C8-8BED814A567A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer64\LDPlayer.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer64_ens_3064_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer64_ens_3064_ld.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.0.729033138\42167708" -parentBuildID 20221007134813 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad993756-92ac-4997-b001-644f1968423f} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 1888 20c87fd8058 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.1.920914155\1346208630" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bba8a85-b4c0-487d-952a-d77c156c0c96} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 2264 20c87f0b158 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.2.1081734449\455383641" -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 2852 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf27f766-b4da-4840-bb3c-114b8b8907ee} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 3116 20c87f5ec58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.3.292027512\748787557" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {289ba82a-e1d7-4db4-ae3c-7b0cb0cf4a44} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 3704 20c8d874e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.4.1072272154\1339004415" -childID 3 -isForBrowser -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78a424be-20a2-4536-9a32-ea152f56acc3} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 4580 20c8f1efd58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.5.1764104939\480549637" -childID 4 -isForBrowser -prefsHandle 4592 -prefMapHandle 4948 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa9d875c-cdf7-43f6-9759-b1c95eefad74} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 5108 20c8d23d858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.6.1979766635\1542418826" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50406e90-beb6-4304-9cfa-674784cc2265} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 5240 20c8d23ea58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1588.7.1395338482\67372668" -childID 6 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8445613d-f90e-448c-8982-547f60118f25} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" 5432 20c8d23f358 tab
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnupdate.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\LDPlayer\LDPlayer64\LDPlayer.exe
"C:\LDPlayer\LDPlayer64\\LDPlayer.exe" -silence -downloader -openid=3064 -path="C:\LDPlayer\LDPlayer64\"
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM fynews.exe
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM ldnews.exe
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM LdVBoxHeadless.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM LdVBoxSVC.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM VirtualBox.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM VBoxManage.exe /T
C:\LDPlayer\LDPlayer64\dnrepairer.exe
"C:\LDPlayer\LDPlayer64\dnrepairer.exe" listener=262574
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer64\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer64\vms" /grant everyone:F /t
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM LdVBoxHeadless.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM LdVBoxSVC.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM VirtualBox.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM VBoxManage.exe /T
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\dismhost.exe {16C1396F-4B75-469A-96CD-F596C9059E15}
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayerbox\LdVBoxSVC.exe
"C:\Program Files\ldplayerbox\LdVBoxSVC.exe" /RegServer
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayerbox\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayerbox\x86\VBoxClient-x86.dll" /s
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayerbox\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayerbox\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create LdVBoxDrv binPath= "C:\Program Files\ldplayerbox\LdVBoxDrv.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start LdVBoxDrv
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "LDVBox" -Direction Inbound -Program 'C:\Program Files\ldplayerbox\LdVBoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\LDPlayer\LDPlayer64\driverconfig.exe
"C:\LDPlayer\LDPlayer64\driverconfig.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\ldmutiplayer\" /r /d y
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\ldmutiplayer\" /grant everyone:F /t
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| IE | 74.125.193.139:80 | www.google-analytics.com | tcp |
| FR | 18.161.111.93:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.193.125.74.in-addr.arpa | udp |
| FR | 3.160.188.70:443 | cdn.ldplayer.net | tcp |
| N/A | 127.0.0.1:49755 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 44.237.149.213:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 127.0.0.1:49761 | tcp | |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| GB | 88.221.134.155:80 | a19.dscg10.akamai.net | tcp |
| IE | 209.85.202.138:443 | redirector.gvt1.com | tcp |
| IE | 209.85.202.138:443 | redirector.gvt1.com | udp |
| DE | 74.125.11.102:443 | r1.sn-4g5e6nzl.gvt1.com | tcp |
| US | 8.8.8.8:53 | 102.11.125.74.in-addr.arpa | udp |
| DE | 74.125.11.102:443 | r1.sn-4g5e6nzl.gvt1.com | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| IE | 74.125.193.139:80 | www.google-analytics.com | tcp |
| IE | 74.125.193.139:80 | www.google-analytics.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\4d1b1ed0-285c-4991-afd0-e3314ed6d874
| MD5 | fd5caf570dce3bb9918fececa6da7e86 |
| SHA1 | c49ad1088742171374cdac1f7d89f08282131cc9 |
| SHA256 | 3656af18a88ca1b98275717a2503665a4a2d59b9b0b1858d05442e3ce5d528fe |
| SHA512 | a4e2048d010b798b5335a540d81286c94a4eb5f08b9f976fa96a182b9d298da2be37cf4ab4760d099211bcfbe4bfb0940f7afa40ec58d6cb60e85d8e543e9ffb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 1206fc9136d5448b0ac92b3bf1717fee |
| SHA1 | 78413bda119a7918e0ed445df87706c89f232413 |
| SHA256 | 2df9c37f877fff16cbe2d409f141247442e64b1b0407067f64b1365c46e7dbd6 |
| SHA512 | e543c190d04108dd09cb478bea381443751f3be47405eb37e8ecf1f6d640889a6020ba73daa8c7672ac7d821d76e4c9d0ba0c96bbb414586e1257eabf3a1ca32 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js
| MD5 | 6bcbc5a85d03294643d96f43bac889c4 |
| SHA1 | aaed2588ba2032dcd2808fc4d2bf027309dfe3a9 |
| SHA256 | 6b06c915f773f0bb2aba3cf7b57ea75db3a76d736123ba9251dcea209786d0f4 |
| SHA512 | 7032002b2c86cb9f7c59b200f66e2388bc3c94aa0648b8ec627df6b39d006dfd07879eb697ff9393687660637e452718db79b97257d5ef3c1ca50d91aa44d6a7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d8xutbrp.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | c460716b62456449360b23cf5663f275 |
| SHA1 | 06573a83d88286153066bae7062cc9300e567d92 |
| SHA256 | 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0 |
| SHA512 | 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs.js
| MD5 | 008403bb3dd0838e382bccd82c494588 |
| SHA1 | 41bad665cd94181e60d4a5db5a8cab97293644eb |
| SHA256 | 58b9a0449a65d42e3d7b49e0e490fc76823d4157d4657b095ebb48743dd72868 |
| SHA512 | 3a88256c585f9fb77002f2c741263d25151e05c6d523b6cdf392bd392a57968f42ee954d617aebd95759e157440f7b124c0f6f68159be490083d4b78501266fd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 30d8059aead2edd41d72ecb156e9107c |
| SHA1 | 731e1c5314f2241f37f5c01eb88948a55b570454 |
| SHA256 | 36c8824fa948260f51452d453f50898103520c4a22b0a6b0466e9cb70a405559 |
| SHA512 | d81fa4176be119eafc5b15d2edcdb1427746430ebc1d57f20b24e5c7512f06ee4d7f5f9dff538a581a9b03f9c94cc399efc61d0ccb9a6242e67241fda9ef618c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js
| MD5 | feeb0bc3bdf499614ef73e087467016c |
| SHA1 | 25ec6c284826063e3bad3f1613b462931ef5fbe4 |
| SHA256 | 7d4d16a7ea7f1c95d977a7dd10af69bdf604279faa00afb90b55ae8a86847723 |
| SHA512 | 5f348696eec3134df293dfc8bb32e9d12a558c025d95b6a73421f4c29b26d90112d2bed9c29708f4a9e611dab33ab11fd41feb9df80c8a0531ee8425c93338cf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js
| MD5 | 7db3f03180680efcdf5f17490025ed7a |
| SHA1 | 7271a49806e80f12df1d04f908ba6aefdda22963 |
| SHA256 | 3cd1227f090805fcb13407eb133b69947f774e6985ba3a07699acddc660959ac |
| SHA512 | b66e43a1d3dec3722a97c2757879135c9618eb90b6a0e2423aec99e4f97cc1c1be5dfbc62069e9e70b9a9537a203be91d7819bb03073c38282ef459ef3a5f896 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d8xutbrp.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C
| MD5 | 5ee7d2b70e6dd70965c20755b7a53614 |
| SHA1 | 5f95ffc13c0e2a009c03f5439e1cbbd774b937ab |
| SHA256 | 788d31c574ec77bbaa66d0c017a8db6d0fbe47f377fa334a0545c26048566a9d |
| SHA512 | 5b5f4fc06982f35af37406370c70e12e9ff7fbaefb90d9669d6b4ab100c8e5b9fea3e5008be8353e01881d54c5ac05344473abf9fbf94b39a26d98af0684674a |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\LDPlayer\LDPlayer64\LDPlayer.exe
| MD5 | ddd3a86fcc211534b754464519fdf4f7 |
| SHA1 | d563c5fe13b54386ae5f9dcf39ed9861cf9e11f1 |
| SHA256 | 5d081ed125b8568088b4bd86b363d1e177ca6bc2cde6ae967869e53eceffd99f |
| SHA512 | 609b2a206c8386787472ebbb47bd0d284b4d8dcaf663cb438050b174e4f34d6cd476aa8d4afb163384a640e92fd55403322087d06dc43bd4b9dfaaeda2a226a8 |
C:\LDPlayer\LDPlayer64\LDPlayer.exe
| MD5 | 5f46eb8fd510bf7fccfa24c0de1dc1bb |
| SHA1 | 71e79fc0f6dc8ca74d82e2e688344a78724f4ce7 |
| SHA256 | ba3927c7b26adf393edaf365182dbc6ca94ff2968fd13954eae091a2fd96b851 |
| SHA512 | af1aa23bd89b423f305beac931239bcbe4f70334f839a5628e5b6bd89187bf1bfe32322f635b6fdb2140f152a4126cf02bfa04ef7a1c0cdd30814eb48e5a54d2 |
C:\LDPlayer\LDPlayer64\dnrepairer.exe
| MD5 | 57b5ebc1f757a9ed97db2cd3edcf4671 |
| SHA1 | be41d8a49e89e0ccfb65c716ea223668f416ac4e |
| SHA256 | a79d775bb8482651135116601a9cec9818dad2c97422d7c29eb31af5ff50beda |
| SHA512 | 4089de5a155e1c2816a94f1e0586bf4a86cf8624da58af9b6d11ad5d1cfdd6cca8da5f2aed4f54b6f8a973bc7984adab48ebcd8febcc648479d67925a0e3ac9e |
C:\LDPlayer\LDPlayer64\dnrepairer.exe
| MD5 | 9a8d4b27d3019c93214170125c07b56b |
| SHA1 | 686fe478ff87dea13864e0af8b6128995bf66639 |
| SHA256 | a955dfe0ecd70d13e22746471fbb9d58ebf25fc311f1cefd99c8f02ba82ed715 |
| SHA512 | 55965e8d7c6901f57733b61488efef86aadd79f900cfdd1928ca345612f68954a54640ec09edc09b3df542c86d5b6bfb4436aa922beb2fc88962904b7a5626cf |
C:\LDPlayer\LDPlayer64\MSVCP120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
C:\LDPlayer\LDPlayer64\msvcr120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
C:\LDPlayer\LDPlayer64\dnresource.rcc
| MD5 | ffb67501164809507e30143d8186a0fb |
| SHA1 | 6d6b2bee84c0e248ba29ae975d94603ba055ab73 |
| SHA256 | 7335361ce05c8eae54da6491eb9346dc0aeb7002ba63c0d28cd3f3ccc0d5c780 |
| SHA512 | a93705c277e23b4b1300e92c756983346a5e1275b4ddaa6baddffd932a10fa80c618f94a3ede78061dadb6c65a0dd9e6b8d4ec51388a32141a1a05ae40927b78 |
C:\LDPlayer\LDPlayer64\crashreport.dll
| MD5 | 28b4897d10b14f556655164098c18114 |
| SHA1 | 0187ea8a7fc921bb850cba87cb7ebeae90b4e6ba |
| SHA256 | a14bf3e06558a2df46dff0e61659fed31841330e399f020825973affd58e6dd7 |
| SHA512 | 746e0158c8b8d9052d2e0df97594e9d095e439cd22b2b1f3600b7f85ba49b9ebfb0d8593364a0afeda2ae277343cfefa061142e333268364b9ae1e0b831a6c02 |
C:\LDPlayer\LDPlayer64\vms\config\leidian0.config
| MD5 | 300858f429fc9c61c6d989487e630a42 |
| SHA1 | 2929a8ebef1549600e0a99661c39be2e124b848d |
| SHA256 | d12d0268b05c016e0d79b289e5772299ffc339634be6dd131ae3ceca75c7f2d8 |
| SHA512 | f3b450ac7ed56d0ca8d9411b4d47ba4236c124f87a5e37478b6c91a0041466e67a77222a1923e0547e509d881763f055ef7ccf50128af9a34ae6b8540bbc7991 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\DismHost.exe
| MD5 | 17275206102d1cf6f17346fd73300030 |
| SHA1 | bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166 |
| SHA256 | dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6 |
| SHA512 | ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\DismCorePS.dll
| MD5 | 7f751738de9ac0f2544b2722f3a19eb0 |
| SHA1 | 7187c57cd1bd378ef73ba9ad686a758b892c89dc |
| SHA256 | db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc |
| SHA512 | 0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\DismProv.dll
| MD5 | 2ac64cc617d144ae4f37677b5cdbb9b6 |
| SHA1 | 13fe83d7489d302de9ccefbf02c7737e7f9442f9 |
| SHA256 | 006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44 |
| SHA512 | acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\OSProvider.dll
| MD5 | e9833a54c1a1bfdab3e5189f3f740ff9 |
| SHA1 | ffb999c781161d9a694a841728995fda5b6da6d3 |
| SHA256 | ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85 |
| SHA512 | 0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\ServicingCommon.dll
| MD5 | 07231bdae9d15bfca7d97f571de3a521 |
| SHA1 | 04aec0f1afcf7732bc4cd1f7aab36e460c325ba6 |
| SHA256 | be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935 |
| SHA512 | 2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\EdgeProvider.dll
| MD5 | c22cc16103ee51ba59b765c6b449bddb |
| SHA1 | b0683f837e1e44c46c9a050e0a3753893ece24ad |
| SHA256 | eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b |
| SHA512 | 2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\OfflineSetupProvider.dll
| MD5 | 3437087e6819614a8d54c9bc59a23139 |
| SHA1 | ae84efe44b02bacdb9da876e18715100a18362be |
| SHA256 | 8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74 |
| SHA512 | 018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\AssocProvider.dll
| MD5 | 702f9c8fb68fd19514c106e749ec357d |
| SHA1 | 7c141106e4ae8f3a0e5f75d8277ec830fc79eccc |
| SHA256 | 21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358 |
| SHA512 | 2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\DismCore.dll
| MD5 | c73ee8f61bce89d1edad64d16fedcdd6 |
| SHA1 | e8fe02e68fd278fd4af501e350d412a5a91b269f |
| SHA256 | b1045fc7dce8fcf5612f82f8f97f8d243008e4c6b7389187e6babc554dd1e413 |
| SHA512 | 8a5960e6bf35cf07e555558db13c89bf940c92d206adae0eb6e28404b7e499500a8158d29f3400f0b24ab8cedbacb75a28b0138be2e029b70a5cc66cce7cef25 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\en-US\CbsProvider.dll.mui
| MD5 | 8644aa200968ce8dfe182f775e1d65c4 |
| SHA1 | 060149f78e374f2983abde607066f2e07e9b0861 |
| SHA256 | 46b59cfae0ea50c722718cdb8c07b3f5d6f02174cc599cd19a157eb6016c6030 |
| SHA512 | 29b4299ae749587c4fc9fd4b9cf3bbe3e9677088b159a40506a2cbd5796808e7432e7af08f0a2eef6c26bacb39b23afa65d0143c72774f38d55dedaef36eba1d |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\en-US\AssocProvider.dll.mui
| MD5 | 3a26818c500fb74f13342f44c5213114 |
| SHA1 | af1bfc2ca2a1dcbc7037f61f80a949b67a2c9602 |
| SHA256 | 421bbff0c63377b5fd85591530f4c28d0109bc1ff39162a42eb294f0d0e7c6bb |
| SHA512 | afa1d62788d24cd6d739ad78cff19e455b776a71904af1400a44e54e56b55b149eca456db9c686c3a0b515d7fd49d96dc77b217ec769e879b0937bedad53de7f |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\en-US\AppxProvider.dll.mui
| MD5 | f70750a86cda23a3ced4a7ecf03feebd |
| SHA1 | 1c2d9d79974338ce21561b916130e696236fbb48 |
| SHA256 | 8038c5177461aef977ac6e526ac0851bf7eff5928972462657176ff6b6d06050 |
| SHA512 | cfb6b5cdb451b12e7aee6e69ab743b91bec8bd417d4d2384def03010851fef0d7f2a65ff6349c4e62e564b44e742597aeb108e71a962a48020b1988a6c6f1a9a |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\AppxProvider.dll
| MD5 | a31cb807bf0ab4ddbbe2b6bb96ae6cd1 |
| SHA1 | cf63765b41aee9cd7ae76c04dfbb6151e909b3c9 |
| SHA256 | 37f45e6fc1e531279dcffed70c420df7b073504efe43bbb99a33a9ec24b75a47 |
| SHA512 | 6a83378c7e88fe04dde20685889d76fd7efdf4e02342a952ba2e6ab0fa354e3293560986e5fded00718e4c14417970db0c06e6384277ae1e50021bb4dc87fad3 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\CbsProvider.dll
| MD5 | f51151b2d8d84cddbedbeffebdc6ec6a |
| SHA1 | adc9c19aa0663e65997f54835228968e13532198 |
| SHA256 | 7fe4e4924fbbfdf6d772cb9d0a4963d49f6aa18b3c86a2e8df6ca49e22f79884 |
| SHA512 | 802b58617be5e92bfc0c7f8c8d7443128d81908ae99d9a4ce0a785f858dc7832c70dc305f2ad39c9f57db01c05f483f6bf949ad8811fc6fb255c5aee88c729b3 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\GenericProvider.dll
| MD5 | 20fb116831396d9477e352d42097741c |
| SHA1 | 7e063ac9bc173a81dc56dc5864f912041e2c725a |
| SHA256 | 6a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4 |
| SHA512 | 851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\DmiProvider.dll
| MD5 | e54120aa50f14e0d3d257e77db46ece5 |
| SHA1 | 922203542962ec5f938dcb3c876f060ecf17f9dc |
| SHA256 | b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54 |
| SHA512 | fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\MsiProvider.dll
| MD5 | eb171b7a41a7dd48940f7521da61feb0 |
| SHA1 | 9f2a5ddac7b78615f5a7af753d835aaa41e788fc |
| SHA256 | 56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55 |
| SHA512 | 5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\SmiProvider.dll
| MD5 | 46e3e59dbf300ae56292dea398197837 |
| SHA1 | 78636b25fdb32c8fcdf5fe73cac611213f13a8be |
| SHA256 | 5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339 |
| SHA512 | e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\IBSProvider.dll
| MD5 | f6b7301c18f651567a5f816c2eb7384d |
| SHA1 | 40cd6efc28aa7efe86b265af208b0e49bec09ae4 |
| SHA256 | 8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61 |
| SHA512 | 4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\IntlProvider.dll
| MD5 | 34035aed2021763bec1a7112d53732f1 |
| SHA1 | 7132595f73755c3ae20a01b6863ac9518f7b75a4 |
| SHA256 | aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731 |
| SHA512 | ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\SysprepProvider.dll
| MD5 | 4dfa1eeec0822bfcfb95e4fa8ec6c143 |
| SHA1 | 54251e697e289020a72e1fd412e34713f2e292cf |
| SHA256 | 901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494 |
| SHA512 | 5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\UnattendProvider.dll
| MD5 | 7c61284580a6bc4a4c9c92a39bd9ea08 |
| SHA1 | 4579294e3f3b6c03b03b15c249b9cac66e730d2a |
| SHA256 | 3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8 |
| SHA512 | b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\WimProvider.dll
| MD5 | bcf8735528bb89555fc687b1ed358844 |
| SHA1 | 5ef5b24631d2f447c58b0973f61cb02118ae4adc |
| SHA256 | 78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c |
| SHA512 | 8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\ProvProvider.dll
| MD5 | 2ef388f7769205ca319630dd328dcef1 |
| SHA1 | 6dc9ed84e72af4d3e7793c07cfb244626470f3b6 |
| SHA256 | 4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf |
| SHA512 | b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\Ffuprovider.dll
| MD5 | a41b0e08419de4d9874893b813dccb5c |
| SHA1 | 2390e00f2c2bc9779e99a669193666688064ea77 |
| SHA256 | 57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3 |
| SHA512 | bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\Vhdprovider.dll
| MD5 | 8a655555544b2915b5d8676cbf3d77ab |
| SHA1 | 5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2 |
| SHA256 | d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27 |
| SHA512 | c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\ImagingProvider.dll
| MD5 | 4c6d681704e3070df2a9d3f42d3a58a2 |
| SHA1 | a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81 |
| SHA256 | f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137 |
| SHA512 | daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\TransmogProvider.dll
| MD5 | c1c56a9c6ea636dbca49cfcc45a188c3 |
| SHA1 | d852e49978a08e662804bf3d7ec93d8f6401a174 |
| SHA256 | b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf |
| SHA512 | f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e |
C:\Windows\Logs\DISM\dism.log
| MD5 | fa55f83b44988858dca973cf2d1312a4 |
| SHA1 | 574c996b87a184d0332cd0d63b31e99f75ecd7a0 |
| SHA256 | 6dcc3c48a70d1f526ecd576a81447578d6e9ff28b0d3bd1dacf7fa00b521684e |
| SHA512 | 775a30ee3d9e2becaf23b944436040ed9ff02e52b7ac460517f98e427d67ac7981c15a0c22f046e15f35404e6664eef887a3f40963c41788fefbc3d805e98b93 |
C:\Users\Admin\AppData\Local\Temp\6958F73C-ECC7-4280-8A7E-67BE403F8936\LogProvider.dll
| MD5 | c63f6b6d4498f2ec95de15645c48e086 |
| SHA1 | 29f71180feed44f023da9b119ba112f2e23e6a10 |
| SHA256 | 56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde |
| SHA512 | 3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc |
C:\Windows\Logs\DISM\dism.log
| MD5 | 75dc01072a879532c3419219352acf89 |
| SHA1 | f5096117512cd554a280ac4caa6ffcca878247bf |
| SHA256 | 8db0bdbea07704fc8d4c711ba154bc424b9c2358e889f8f2aa090575d7997a21 |
| SHA512 | 269c0ebf115c3403d8774b20585e3300141b64077e31dde8840962e6b98674fa5335267a9abd2e030788778e4c87799b04b06a8bc58ad025ed47fe203ee518b4 |
memory/3116-2774-0x0000000002440000-0x0000000002476000-memory.dmp
memory/3116-2775-0x00000000724D0000-0x0000000072C81000-memory.dmp
memory/3116-2776-0x0000000002500000-0x0000000002510000-memory.dmp
memory/3116-2777-0x0000000002500000-0x0000000002510000-memory.dmp
memory/3116-2778-0x0000000004EC0000-0x00000000054EA000-memory.dmp
memory/3116-2779-0x0000000004DA0000-0x0000000004DC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o0vqkncl.k5t.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3116-2781-0x0000000005710000-0x0000000005776000-memory.dmp
memory/3116-2780-0x00000000056A0000-0x0000000005706000-memory.dmp
memory/3116-2790-0x0000000005780000-0x0000000005AD7000-memory.dmp
memory/3116-2791-0x0000000005C20000-0x0000000005C3E000-memory.dmp
memory/3116-2792-0x0000000005C60000-0x0000000005CAC000-memory.dmp
memory/3116-2793-0x000000007F770000-0x000000007F780000-memory.dmp
memory/3116-2794-0x0000000006BF0000-0x0000000006C24000-memory.dmp
memory/3116-2795-0x000000006EF10000-0x000000006EF5C000-memory.dmp
memory/3116-2804-0x0000000006220000-0x000000000623E000-memory.dmp
memory/3116-2805-0x0000000002500000-0x0000000002510000-memory.dmp
memory/3116-2806-0x0000000006E30000-0x0000000006ED4000-memory.dmp
memory/3116-2807-0x00000000075C0000-0x0000000007C3A000-memory.dmp
memory/3116-2808-0x0000000006F80000-0x0000000006F9A000-memory.dmp
memory/3116-2809-0x0000000007000000-0x000000000700A000-memory.dmp
memory/3116-2810-0x0000000007210000-0x00000000072A6000-memory.dmp
memory/3116-2811-0x0000000007190000-0x00000000071A1000-memory.dmp
memory/3116-2812-0x00000000071D0000-0x00000000071DE000-memory.dmp
memory/3116-2813-0x00000000072B0000-0x00000000072CA000-memory.dmp
memory/3116-2814-0x0000000002500000-0x0000000002510000-memory.dmp
memory/3116-2817-0x00000000724D0000-0x0000000072C81000-memory.dmp
C:\LDPlayer\LDPlayer64\dnmultiplayer.exe
| MD5 | 1c291afe061d13ebce0bf188489d7c2e |
| SHA1 | 84638991e5d113c844994266ae933972c160be69 |
| SHA256 | 2c97c347a6f1687b139e4dba35de2c5d603cfd6bc022dd044feb51a7fc705636 |
| SHA512 | ad01b1d892731ce1f46d01dd74e20f3c9930dd38f8c197049cfc1d610c161e8f0945c9f162f8cad44c32cc8700680ae2a8c9148687e4634ff9a45e1270f898b3 |
C:\LDPlayer\LDPlayer64\dnplayer.exe
| MD5 | e1d2e0b2a471968ebcb01dfa22f0be07 |
| SHA1 | 823cbd3af55b69c3dd7e590d813d5427a159fff8 |
| SHA256 | 2b034103d7746fdb287dedc7e738105a51b1e74c5c347b430f57799425c6ad37 |
| SHA512 | 4ee92cf7804f381481bf1c168820c394e3f940652c7b39a30a48a219b1dc3515b4432bf302c9e7a9529d4e3ce0c800b05ac71dd264a357cce822e49ff205e93f |
C:\LDPlayer\LDPlayer64\ldmutiplayer\cximagecrt.dll
| MD5 | 66df6f7b7a98ff750aade522c22d239a |
| SHA1 | f69464fe18ed03de597bb46482ae899f43c94617 |
| SHA256 | 91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f |
| SHA512 | 48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e |
C:\LDPlayer\LDPlayer64\fonts\Roboto-Regular.otf
| MD5 | 4acd5f0e312730f1d8b8805f3699c184 |
| SHA1 | 67c957e102bf2b2a86c5708257bc32f91c006739 |
| SHA256 | 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5 |
| SHA512 | 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837 |
C:\LDPlayer\LDPlayer64\fonts\NotoSans-Regular.otf
| MD5 | 8000091ffef23335abb8a3f3b07a504e |
| SHA1 | 6f186c3bce2f7a0b3193739577e312888858a2e6 |
| SHA256 | caa8a431761c6297a61faf8d8678c3124b12a76651bcd64c854f3329ec96ae55 |
| SHA512 | 133876a76170804c4057db62cd6554c2cb8fce1a72547bd8792df746b76708654aa35039b85b17bd6f30525f6352c851cc55619751cd3e6bffef0258aedc9ff5 |
C:\LDPlayer\LDPlayer64\ldmutiplayer\ssleay32.dll
| MD5 | 0054560df6c69d2067689433172088ef |
| SHA1 | a30042b77ebd7c704be0e986349030bcdb82857d |
| SHA256 | 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750 |
| SHA512 | 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0 |
C:\LDPlayer\LDPlayer64\ldmutiplayer\msvcr110.dll
| MD5 | 4ba25d2cbe1587a841dcfb8c8c4a6ea6 |
| SHA1 | 52693d4b5e0b55a929099b680348c3932f2c3c62 |
| SHA256 | b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49 |
| SHA512 | 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6 |
C:\LDPlayer\LDPlayer64\ldmutiplayer\msvcp110.dll
| MD5 | 3e29914113ec4b968ba5eb1f6d194a0a |
| SHA1 | 557b67e372e85eb39989cb53cffd3ef1adabb9fe |
| SHA256 | c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a |
| SHA512 | 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43 |
C:\LDPlayer\ldmutiplayer\libeay32.dll
| MD5 | ba46e6e1c5861617b4d97de00149b905 |
| SHA1 | 4affc8aab49c7dc3ceeca81391c4f737d7672b32 |
| SHA256 | 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e |
| SHA512 | bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6 |
C:\LDPlayer\LDPlayer64\ldmutiplayer\libcurl.dll
| MD5 | 2d40f6c6a4f88c8c2685ee25b53ec00d |
| SHA1 | faf96bac1e7665aa07029d8f94e1ac84014a863b |
| SHA256 | 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334 |
| SHA512 | 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779 |
C:\LDPlayer\LDPlayer64\ldmutiplayer\7za.exe
| MD5 | ad9d7cbdb4b19fb65960d69126e3ff68 |
| SHA1 | dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d |
| SHA256 | a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326 |
| SHA512 | f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7 |