hxxps://www[.]ldplayer[.]net/?n=25143662#utm_source=article&utm_medium=top&utm_campaign=androidauthority

Analysis

max time kernel
1705s
max time network
1827s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.ldplayer.net/?n=25143662#utm_source=article&utm_medium=top&utm_campaign=androidauthority

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\FuncName = "WVTAsn1CatNameValueEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
6092	takeown.exe
4308	icacls.exe
5960	takeown.exe
5752	icacls.exe
4604	takeown.exe
924	icacls.exe

Executes dropped EXE 12 IoCs

pid	Process
5920	LDPlayer9_ens_25143662_ld.exe
2252	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
1816	LDPlayer9_ens_25143662_ld.exe
1964	LDPlayer9_ens_25143662_ld.exe
4352	LDPlayer9_ens_25143662_ld.exe
4424	LDPlayer9_ens_25143662_ld.exe
2712	LDPlayer.exe
5356	dnrepairer.exe
636	dismhost.exe
1636	Ld9BoxSVC.exe
1324	driverconfig.exe

Loads dropped DLL 64 IoCs

pid	Process
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5356	dnrepairer.exe
5356	dnrepairer.exe
5356	dnrepairer.exe
5356	dnrepairer.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
636	dismhost.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
1636	Ld9BoxSVC.exe
5276	regsvr32.exe
5276	regsvr32.exe
5276	regsvr32.exe
5276	regsvr32.exe
5276	regsvr32.exe
5276	regsvr32.exe
5276	regsvr32.exe
5276	regsvr32.exe
5368	regsvr32.exe
5368	regsvr32.exe
5368	regsvr32.exe
5368	regsvr32.exe
5368	regsvr32.exe
5368	regsvr32.exe
5368	regsvr32.exe
5368	regsvr32.exe
5368	regsvr32.exe
5624	regsvr32.exe
5624	regsvr32.exe
5624	regsvr32.exe
5624	regsvr32.exe
5624	regsvr32.exe
5624	regsvr32.exe
5624	regsvr32.exe
5624	regsvr32.exe
4968	regsvr32.exe
4968	regsvr32.exe
4968	regsvr32.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5752	icacls.exe
4604	takeown.exe
924	icacls.exe
6092	takeown.exe
4308	icacls.exe
5960	takeown.exe

Registers COM server for autorun 1 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	regsvr32.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	LDPlayer9_ens_25143662_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	LDPlayer9_ens_25143662_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	LDPlayer9_ens_25143662_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	LDPlayer9_ens_25143662_ld.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vbox-img.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuthSimple.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDriver.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qwindows.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Gui.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI64.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxManage.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetNAT.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libssl-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\EGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedFolders.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3492	sc.exe
5976	sc.exe
1888	sc.exe
1408	sc.exe
4308	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3536	taskkill.exe
4804	taskkill.exe
3664	taskkill.exe
2132	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4430-499F-92C8-8BED814A567A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ = "IGuestProcessIOEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}\ = "IGuestFileRegisteredEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87}\ = "IVirtualBoxSDS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\NumMethods\ = "51"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486E-472F-481B-969746AF2480}\ = "IGuestFileSizeChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\ = "IGuestOSType"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\ = "IExtraDataChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ = "INATNetworkAlterEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486E-472F-481B-969746AF2480}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\NumMethods\ = "49"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A06-81FC-A916-78B2DA1FA0E5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ = "IUSBProxyBackend"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\NumMethods\ = "19"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-808E-11E9-B773-133D9330F849}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CurVer\ = "VirtualBox.VirtualBoxClient.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1BCF-4218-9807-04E036CC70F1}\ = "IProgressPercentageChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80F6-4266-8E20-16371F68FA25}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4737-457B-99FC-BC52C851A44F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9641-4397-854A-040439D0114B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8384-11E9-921D-8B984E28A686}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4B81-0077-1DCB004571BA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ = "IDHCPServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\NumMethods\ = "12"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\NumMethods\ = "34"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51}\NumMethods\ = "28"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\NumMethods\ = "25"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-800A-40F8-87A6-170D02249A55}\ = "IExtraDataCanChangeEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CurVer\ = "VirtualBox.VirtualBox.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89}\ = "IGuestFileWriteEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\NumMethods\ = "18"	regsvr32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 509237.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3512	msedge.exe
3512	msedge.exe
2404	msedge.exe
2404	msedge.exe
2256	identity_helper.exe
2256	identity_helper.exe
5240	msedge.exe
5240	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
2712	LDPlayer.exe
2712	LDPlayer.exe
2712	LDPlayer.exe
2712	LDPlayer.exe
2712	LDPlayer.exe
2712	LDPlayer.exe
2712	LDPlayer.exe
2712	LDPlayer.exe
5356	dnrepairer.exe
5356	dnrepairer.exe
924	powershell.exe
924	powershell.exe
924	powershell.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe
5748	powershell.exe
5748	powershell.exe
5748	powershell.exe
2712	LDPlayer.exe
2712	LDPlayer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5888	LDPlayer9_ens_25143662_ld.exe
Token: SeShutdownPrivilege	5888	LDPlayer9_ens_25143662_ld.exe
Token: SeCreatePagefilePrivilege	5888	LDPlayer9_ens_25143662_ld.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	3664	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeTakeOwnershipPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe
Token: SeDebugPrivilege	2712	LDPlayer.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1964	LDPlayer9_ens_25143662_ld.exe
5888	LDPlayer9_ens_25143662_ld.exe
2252	LDPlayer9_ens_25143662_ld.exe
4424	LDPlayer9_ens_25143662_ld.exe
4352	LDPlayer9_ens_25143662_ld.exe
1816	LDPlayer9_ens_25143662_ld.exe
2712	LDPlayer.exe
5356	dnrepairer.exe
1636	Ld9BoxSVC.exe
1324	driverconfig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1716	2404	msedge.exe	87
PID 2404 wrote to memory of 1716	2404	msedge.exe	87
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 4492	2404	msedge.exe	89
PID 2404 wrote to memory of 3512	2404	msedge.exe	90
PID 2404 wrote to memory of 3512	2404	msedge.exe	90
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91
PID 2404 wrote to memory of 4528	2404	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/?n=25143662#utm_source=article&utm_medium=top&utm_campaign=androidauthority
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd557e46f8,0x7ffd557e4708,0x7ffd557e4718
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6828 /prefetch:8
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5512 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5504
- C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
  2⤵
  - Executes dropped EXE
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
  2⤵
  PID:4516
- C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5888
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnplayer.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnmultiplayer.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnmultiplayerex.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM bugreport.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\LDPlayer\LDPlayer9\LDPlayer.exe
    "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=25143662 -language=en -path="C:\LDPlayer\LDPlayer9\"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2712
  - - C:\LDPlayer\LDPlayer9\dnrepairer.exe
      "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=393932
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5356
    - - C:\Windows\SysWOW64\net.exe
        
        "net" start cryptsvc
        5⤵
        
        PID:5616
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        6⤵
        
        PID:4788
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Softpub.dll /s
        5⤵
        Manipulates Digital Signatures
        
        PID:372
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Wintrust.dll /s
        5⤵
        Manipulates Digital Signatures
        
        PID:3928
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Initpki.dll /s
        5⤵
        
        PID:5244
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32" Initpki.dll /s
        5⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" dssenh.dll /s
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" rsaenh.dll /s
        5⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" cryptdlg.dll /s
        5⤵
        Manipulates Digital Signatures
        
        PID:1636
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5960
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5752
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4604
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:924
    - - C:\Windows\SysWOW64\dism.exe
        
        C:\Windows\system32\dism.exe /Online /English /Get-Features
        5⤵
        Drops file in Windows directory
        
        PID:2484
      - C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\dismhost.exe {4F0D808E-A6AD-46A1-8DE9-5879FB1145DF}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:636
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        
        PID:3492
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        
        PID:5976
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmcompute
        5⤵
        Launches sc.exe
        
        PID:1888
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1636
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
        5⤵
        Loads dropped DLL
        
        PID:5276
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
        5⤵
        Loads dropped DLL
        
        PID:5368
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5624
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4968
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
        5⤵
        Launches sc.exe
        
        PID:1408
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" start Ld9BoxSup
        5⤵
        Launches sc.exe
        
        PID:4308
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5748
  - - C:\LDPlayer\LDPlayer9\driverconfig.exe
      "C:\LDPlayer\LDPlayer9\driverconfig.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1324
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6092
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4308
- C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2252
- C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1964
- C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4352
- C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
15.5MB

MD5
fbef175a8cdc6e8618521d6b7dbb2020

SHA1
4a91f97ed672dc9af3badcced729fdf0b5fbf40b

SHA256
7dca457019cf21b7bb5770080a17822238e4cef2c819d499d1f36a492be99650

SHA512
5bcd5e4e67a63720ac5a0915765168c8a977574bc919cbdbabcd0770d072faa80ce10be51d0da41d580773df0c6efbb917c6321b1345dfd0a4f5110fbe9c5f23

Download Submit
C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
17.3MB

MD5
0686471f9a15fc9fad42fe347cb1bf0f

SHA1
b80910dec7faac60011107d1a9b29dc09d0834b5

SHA256
2cc66bffec5b96758529e867d2f42ab2c00203f8df286d67ab3664f206d7f1f1

SHA512
2539132fcd84be99ccb1027c663d8bb261b9f886e3eb314f0dd652e1779b255920dad622aa4a9ca1712bdebc75375ccc3922bee2bcc628914f868b013f985a5c

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
6798fff2f289661b6e6eb25e03f859b5

SHA1
927ce8b1e3e0040437161be6fb69bc194fd48abe

SHA256
ca7232633e1fb50ec87b77c15c346c653c0b81587df45fb6f1a813ab05d9da00

SHA512
8b1ca7ad245a043fa00533bcfff5870b1bf78c8ffbdfe5c57bde3663b65e07f73fe3418ec0eacaac837e510505fe39338f9deafb41984d8e62727180028ed7c5

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.2MB

MD5
15f8c475ea01b5bebf5c5c1f2fa4042f

SHA1
33c812527cb13a7ca9480711e862e894e8d0ec23

SHA256
8191f03dca35a3a95ec8330d8f679010f2ba6f511c530e14edeeac48f86dbad3

SHA512
caa96ca4e6e5936f5b7af09cf4a54d11c1c58cb26ab091f5e0f06ae8f63f62e6a5d0b1225a201a5fca02ffacf829d97a738857abe416aafa21d429ce2e8c433e

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
4.1MB

MD5
0e2bbd8da8468b1c69dfd189278d76c2

SHA1
d53b3795a67f0936a892ca9a7a35b4808d83046c

SHA256
8d23d8307f167421a298d676a88960df0c54201b4d5085b254f3189a23126891

SHA512
1c5c0ed65b23169e939911a15f9b357ae66143b72408d8d7b0e4fa9a2fa97b6182140bd71fddc7ed25f4b7b3e34ad55e239f16eb7a6c5b6370acd9f8e0302485

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
4.3MB

MD5
2bf1f07d681eec659f4bcb21979f646e

SHA1
795aac7ab3cc5c390afb1225409c7a4899d81a94

SHA256
55423a27b7a4a07d43af47aa53628a0cb6ea8a0de4718b00df618cf6d4adb8cf

SHA512
9b06cfc773a99959cc3232becf6575f324dcb0ef150a51490d1feb3d85d9217a7bc0577645fa08562e23b9e8311d1e4b2b8b1b7afd5f6777b451f395dc15c0f5

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
4.5MB

MD5
67e5cbb3210a5273b3b02f87fa94387d

SHA1
330c303564a420557a4e2a5c9b75282196ed6853

SHA256
918baec0b71678b8f1bcbb4b8db71afb438a0495dd2113926a370130cbb01cba

SHA512
80c8903b44ec7446ec61c4e0c9ea2af1c09fd249f942f2d0b9240d661b304884f9c54f1286af8968e68381a56fd321fc1c05691043eb0d9c3ee46090f1827403

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
2.7MB

MD5
8da2312c92040413e8cbff49bbd8693d

SHA1
3016688309a86c38bceaa6cbd7accf9d60f77dad

SHA256
16e44ffd34be068bc00712ac650adb19c1e7fdbe29b6a99b8ed8d34fb5bdce3e

SHA512
f2e56d01dc2bc5c7ddee4e39ea341791efe1fbf7a7ee1a4b76770667b5cbc83fce83ce7f978c857059ee536c27d132b4204c9691e03565736f413a41aecc0a41

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf

Filesize
9.8MB

MD5
fbf8ea26474e5498c9b3a04fee105414

SHA1
dfc94b6a7767889d2a1c428a8f057a6617e23cde

SHA256
41635514f6bcf0cb33fdc6e6ca64e7a401abdacd1a25762edd8e83d52899bb3b

SHA512
f4c7f345dbba1431c25c9f2e6ae9c856110d439ea3857fd1df6210beb04c53097fff85b37628e9473084cdb7a037ab1d76c26878b8bb0413c6e39bdca0a93c3c

Download Submit
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf

Filesize
14KB

MD5
5d246c259a00d05b1575ba07cbc4d34d

SHA1
8a14bb6fe0956b0691744f146db7e7b05375424f

SHA256
a443837b7a43522fde208f02c866ec199f69337722ea969c1f89d15577122869

SHA512
39340a5c21e70b270ad580c937a57a52045ca2f4521db29ad6ea40cf9f4a0e67b97d4ab08e85dec25e684bb2f37d0c6121796a7e630d1ed88f5c951410aa7d70

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc

Filesize
5.0MB

MD5
f845753af4cc7b94f180fb76787e3bc2

SHA1
76ca7babbb655d749c9ed69e0b8875370320cc5a

SHA256
a19a6c0c644ce0e655eaf38a8dbddf05e55048ba52309366a5333e1b50bde990

SHA512
0a3062057622ffcff80c9c5f872abdf59a36131bfc60532c853ea858774d89fed27343f838dfe341dafe8444538fc6e2103d3aa19ef9d264e0f8e761c4bfce81

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
64KB

MD5
b72e8066f8f4256ed8edb855e258dc53

SHA1
07c8dd9449707df179b997a2d13e0bb66e4ef49f

SHA256
fbadb8e49e373db7659252af834a8de385b2f4ea90188ccc1c45083f647c3e3a

SHA512
dac81255e93078f8b617460129cdcaa9a825cfe3f7493982a07794ca01f9328669741696dfd14c8dd7e25b90fa6b6b725233b36a3c23e0a4ade30603b06d99fc

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
18.6MB

MD5
0bff82d11b422d74a4eb0c8a9e6ac4b6

SHA1
0fcad20fee86d7ec38368a25daec6a1838ae8bd5

SHA256
1bab3b9a847d4a5491ab5695a0afae562db8750d9c3300e804f2900b1e98f5b6

SHA512
52824f7103fd5d66621f1b515b4932e072f38a3ee4d540efae9691511afa9f4260153fb57958a5aa64d371c708e1406fc0e8edb01bf6e036e13290501731a051

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
10.2MB

MD5
39574e2d2bd8f11b07bf8f5ae22853d9

SHA1
8b62d5c9c85df1e83c82ab2fae278564eec0d5c8

SHA256
2b795abef93434e91d73350da37f7c63670f03d10e0733a0468b5d79fe7d666d

SHA512
e77114671a1a1545996fd0f8ce58879cfa20d1adbbb9f281dfe6ae96d36ca9c51645615e93cfc81b029b12ec181d546c599c3d30b7b0b7e4d1247d8806cec622

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
21.6MB

MD5
e69e4aaf235a85b6641a02b4e3ed7ce8

SHA1
502e5323d750da6b7acfcf0c78616693d961fdea

SHA256
28c99279372d8f5d0950454f9c5daa14328901931afdc7ba8eec29c90437bf9f

SHA512
a854b8ead63d952220667c3912ed8111b24a140b53ef5c8f28b0f339a7d9cde09f8e8f103ddadadaf9bb12e735ee2645261b6c2030d7c6d87905f46edbe6fff4

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
640B

MD5
2a31f29646fa2ded1db8f8670f06f7a3

SHA1
267a436278ac47177e0db1ece5dc254b3f46dfa9

SHA256
7c76da18b150595f17bb7193d7c222e679cea15e50488626845340e2aa679fe1

SHA512
f4bc4c19505371f5f501ce3982e129561664c193ce32ca8b02ca37464d3066a8dd231c51db2df17e93054f43a31918799c1be64aa33a32cf562b6b92f85dd490

Download Submit
C:\LDPlayer\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36bb45cb1262fcfcab1e3e7960784eaa

SHA1
ab0e15841b027632c9e1b0a47d3dec42162fc637

SHA256
7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

SHA512
02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
81b77168b174e54a3db29d85facba28b

SHA1
be26dfebf256bb4962bc0740f8c6a6f853008d97

SHA256
6aba23c8baaca0dda78e2b1a77ac9343191bde5603cda687f6c56e7385bc26e5

SHA512
8ea7e30a54e0ea2418c7a9bd1de63206ad6886a99803eead2eb085b788822cf1b99f81b58a405a8a7f6d943e8f30f980ed086530b3a0ed4b2ba23979b436033c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b551087ab8bec9f65c8afb7fbc026b6f

SHA1
e7b79c62623b3a26a5b50cfedb1567dfa88fb836

SHA256
5fe126fd94388910836c0def6764c3cea3b51c3bc88f659702320272de693c95

SHA512
a5dabb2198575456cda494cc48f7c2fc89a071564fe1a6fcbf72e32ce9fe4512acfff7954613d3247161721c7373f04688a31445061bd553c41e88fdb0813944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
21f134d986b8af89a10d1b2a2e1f8793

SHA1
a97162d008f9b220baf71b639e043c0bbfd1d2eb

SHA256
087bd6a9aa220139248321f64c14a469be2b36fbb39633b25a49f8d028d1c57c

SHA512
52dd388d0ec675240e31dcb1e7f41d9f4d82c68551213b8fa42c4b47b17fff24b4e13cc93dc9ec6d418bdf0afe1085e01a0d53a995742fed93ecc387c46486a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
759323ae85cb98313ef69905c07e15c5

SHA1
df28370d693154f9d295c209621a2248d634ccd5

SHA256
70d9cb01cd1767e116a8f80b1238ac442083857ec13fbef0805ce9552002d493

SHA512
32a0767569839bec6f3d3e902ec0d9737dbbddeba42b7416d6ae7dbeaac174e82cb3e02740a6780da824c7294c544fc41295c578f5d5462b586f05b47b5b2e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
bc2a8fb24f806322bf7f7362a1db8f1c

SHA1
d51e5d9b985e50654e14949995cb0aa2ebedc175

SHA256
0df0971bfb0badb022a1363b08ae2902e115d28da35093636950088d65b0a187

SHA512
dcc5ffaced9be2edd5e631caf9fd15f2434f7e5cdf9f8455fe64760aaed5f58227e766e7c040a5a9a7db6e1d4066daefeb00284cc203407c6d3b416dbf67795f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c24946b7c921764365d169dcf40698f

SHA1
1b2600c7b0e2e48d7dc138211135465c98273eb8

SHA256
dab4ab463a9a5f6bc108a64411f5c7b6db0716d713ce68704de78000c6549f0f

SHA512
11c814398136f9e7b96096993692ec14eed25f0239b49e16611ea7aa1ba63f81200585caa1de7a326ef1dec4941354454c9da57e877fd5f728cea17a3ae14e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
819298bde23771042e23c6da88263515

SHA1
1e0633dd2d60e96308479df1fe4563d49a115ea0

SHA256
7d72a7f4ecdb381aa5c9c6f8cab8d46d32346345d0fd4da8fc679a62d4535b18

SHA512
30fbc3286aa2ecfb043681e23eb5971bbb6fddcb380c9028112c6ad6b96703d223dd238768e8eced64d107c3dece9322d499a2004b25e48841907bf01f7f2810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cd9cff66208a62afb9dd9476dd2cf2c5

SHA1
477912794f06f3d0905787ba55aa0a9f890c2a0e

SHA256
fde06b2977757cecf53cb2dcf1b3dd29318f9e400ad9d68ddbba2e54d1ae9500

SHA512
86111cd4a056a66b43f276b5c886e156a3310c48547733afbd7b49843077ff66666aa95dec329519973b7f9f7abc03f7afa71acda0e2c6245e479d7b7fbd9bdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
33512ecc142374267de05b9347128b6c

SHA1
c20f4b301175abf17d878533fd5767b30494eece

SHA256
1913c713a5fb074a97d09c87c9235be942071bd04c89c23b9a64f8be93c84108

SHA512
5d564d38f45c17fba369b82471773a8ce397e8cf71fe671f12ea5ff6c8a24c9ef68ca85ef8a3280cafb35fb8f3cb2f7e5a0f9f8bf1e30e12e21675809daa215e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d376ab708b4efa3be05e2603a747fece

SHA1
39704cae2474df6b98740376d9ce41df4a00890d

SHA256
b0479b1a0d9b8dd09986b3a8d37e26f71abf6f1037f46a897c473ec3b5184620

SHA512
ad60a9c17b03c438399c785068a440a49603907c33a017f1a07c85cac9ffa8fee754b722de8faef387946fc712acadcbbc52b2a7be1ddbb957fdd57dfb529b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ff2dd468b05d6b2bb1ef6a1161802fe3

SHA1
291248c6b1389ac6810c803d3e044fb7300a69ce

SHA256
15bcf194dfde7ad758d4f0e37d3a1a50498da4446f7c85a9c9885a80c622e1f6

SHA512
1f9aa12b5ee4089915fc14655c3bcffb365d674b4b37a658f0672ce879fc779379feac3ae8471faa4a50afe269d91c985862fc992af9821d3fdaafb15bc45190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6548942b346afc482f759a6f7adab38a

SHA1
0fff5afbfe4b7b19a129950ba2e8fdefbb0f4a40

SHA256
4171587d681e8b28eeebcba3fee524f6598421a5fbd759f03a14db6d34ae0337

SHA512
6282db42bc911caf18bc2ab0357ad026b4cf888a2094744766ae9d0e290718f12ed0666b7b92281fb5e45e7a12121fdc97a54e6f91e01b0ecb3d74281c4ff553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
82611273b64989f2c04f87bdecca2da9

SHA1
71e659b3c1d45397ee42f933a92657a6b4e49f97

SHA256
eeb101fccc38dc8234b099d9d50815834d3017319fb75ace345dc3b746dbc4f5

SHA512
6be4a86d44f7902effa8351d963b7a60c7156e12389cf83b668cfd694a0282a2bba6892b873b4cc31762af3574ccfc4271d40da2b36361067c06ba6b6c57fa3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
dfab14b182ae6cbf8e780ad419af9a16

SHA1
bf7ce7b10b288497d431a0de26da88f4d89c798f

SHA256
391e9bad9a7032b6044f9295b9a92453b882cc3ff782a71a4686c28428fa482a

SHA512
9bea1e1a0fc1ec01dee207a70968fd01a33aeac6768d7a6fd3575c298ad3f47e5056274d4c10a1f3cdbfb14ccc9f7810d1e21f6731b05266437caf85b2b345c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c510b121f9eb4ad4de7354dcaf2ea24b

SHA1
4eb3bdcda2b197f46149661b02a1fd7147c58b38

SHA256
96f10ec98f12f071c5fa42d0d9263c6bb95eaf9339867bc63ab4e993215e3baf

SHA512
9e9da02a71bac9543c84656baf560ff73fc5994fdc076eef1c1fe5d98c83770173ffeb8cedbc9391eaf721e4f0ec479e7b88e68fa8623a0d8a617a067553f2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59266a.TMP

Filesize
203B

MD5
427e5b6faed6d0dccea00a18a7146b55

SHA1
e38a30dc61d038bebbc2fac9a40a920b745254b0

SHA256
ff7d15290f00ef1668f2011262a430c711c975690fb0f7f8417484246274281e

SHA512
8a386bb13dbfd5787f59edda9da1628963db4864faad7b5cd9e956266aed79be5f9087a65bb6da16ab889440b9a59e38252bc5ef9c07428e06390353fd108f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a95026cee7b4881a4b9f4c592b782938

SHA1
97866151b126e56e8f406656667952b33120a734

SHA256
9fecef4ff7db47e3fe984bc480742308b25e13ace30b882f30988e92524f1ad8

SHA512
9871945ebf7bafe7664818792390242b38ebc4714dcbd7aafb06d9270f14f89a96b43c24292c017922d61b885b492dbfad7dd6c89fe9a1d5548adf1671cdbba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ace6cf4d89f42c89e6d811c143f4efa9

SHA1
5f6208d64ff8ba2f5dece835f8f82cca18ffe127

SHA256
de8e021789c526b5c4f2eec3aafe4fbc091a80fdb2987f47cd9d8eb034f16037

SHA512
bfa767be6bfaf8d5b46d56da4ef259da87c27087443d2d741983875091e3fe8b37299c61cb559dbcdf4bcd7ea2d99d027887f785c1ef81cb4a6a76b0fe696285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fab58eab07cec82f4c0454fd14b6f4fc

SHA1
0284da2a8dbf857aed2034470d15549adba7ca66

SHA256
2eb52b01cc0ebaa26e18667a25c1c6da61ae310fa2d25bf78fdb39db2ef85f8a

SHA512
fb1405e53a31ce6cc9248b99a2030fd49125a2e9ae94fd4e78e6821ee83bfe3dba88d006a59c95f3812a299bbebd054341a32680b129d613d69fd0d38e73f51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
67KB

MD5
7d5d3e2fcfa5ff53f5ae075ed4327b18

SHA1
3905104d8f7ba88b3b34f4997f3948b3183953f6

SHA256
e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4

SHA512
e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4idrv0so.wxu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe

Filesize
3.3MB

MD5
7c2e5ef59e9589422bcd5bf3726fbcb1

SHA1
c4dac6966ac4cd3500d6a7fe44138a0db639d507

SHA256
6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd

SHA512
28870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe

Filesize
2.6MB

MD5
b94393bf4c77ed64ec839c28c7947c9c

SHA1
c41e23fcf7fc7be9aea5f757b382dcd8156a4c3d

SHA256
1b4d2cd046d04a94813a1930f75bba373ab932f49fcc969c81a5498f7ac989c2

SHA512
90e059d5b30ff4527a21dd4815c522a2833195b2db5a58839933b6e2e26fce7009175fc02d8dbaa8fd6a649335a687e8db62a6ebd72e7b6772a499ff2c7e2976

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe

Filesize
2.9MB

MD5
720f7f127c4cc303cd6232b6d17ae932

SHA1
c78072dba5451e235069322f89dfcfe6667f591b

SHA256
7a90fc13199a03918ba5e6c0b52f1fb80a5d14f426f921aa88607929a375aea5

SHA512
41fefe68404678c10febc2a280bee10f46a0d1ebdf4d6b3253fa0f4782d08d2f88cbcf34a92969b7e60216aaed33e76d1c680804a356e344f30a11b9a9311d52

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe

Filesize
576KB

MD5
ea06400812db536cd5ec6544bd844000

SHA1
8f22db3d3f4432b4f8b89d36339a999a9c9b7350

SHA256
30d02c376fa56c85037bd1ab842c17c9e332d8785d273279cc59f5040516afa3

SHA512
ba745bced97684fdb73d690a67b0a343a998e8cc0592e74d7018b268975d94e2131cdc1ee6fafd3e59d0f609b82e8d425ae2e4ab1d174037b8f33496a09bacc2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 509237.crdownload

Filesize
1.9MB

MD5
ccdbdce1580a2eefc3e958aef0544039

SHA1
70d0d4b946f4ed0f7d8cb92022a2cb84040a69f6

SHA256
385b123d8b7ef199d01ec974ff9d25c1a46619af0fd004aea6898e7b5bd3417f

SHA512
623a4452684a3d8f8aeba5efbe1b2471c744c1eeeddef92779980b8fac9e69815204743e9b79f4484c93d6f25cec3b42b44335ce708db88605db3e154ada993b

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
223KB

MD5
59c92e1889a3ca130d0fb47d237a0353

SHA1
be6f96b3f8f484c99116b9972b70e9ddcfc22d69

SHA256
e121e3cc52d3456c72c8acb9c2223ba6ca3dd2f78339f3503f1f347a7487f284

SHA512
f129744fa4f70f9c2abd71060206254ec7784a83dbad5dbde2563f2eaaa296fdee0fc3a460a58b007f12dfad8e7dcd7db2533bf24cfb1da671d949a54d93bc10

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
276KB

MD5
f454926b165e097550d20fb38638f00d

SHA1
976ce130d5a0c68243c8db0efcfc3d3635725c1c

SHA256
01890344520eca8fa59de6819b4d2ebedd6ae64d333450812ecabd52e60dbdd4

SHA512
699b6e4475e3d7d0cdffa522303507fbcec54c943b043345ae919721e76372bfae215470a8f39ce21bcb75fbe763117a8fa1bddc5ad9c089452d8df42e980a7c

Download Submit
memory/924-1557-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/924-1561-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/924-1542-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/924-1543-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/924-1544-0x0000000006130000-0x0000000006152000-memory.dmp

Filesize
136KB

Download
memory/924-1545-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/924-1600-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/924-1555-0x0000000006320000-0x0000000006674000-memory.dmp

Filesize
3.3MB

Download
memory/924-1556-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/924-1540-0x0000000005AD0000-0x00000000060F8000-memory.dmp

Filesize
6.2MB

Download
memory/924-1635-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/924-1630-0x0000000007E80000-0x0000000007E9A000-memory.dmp

Filesize
104KB

Download
memory/924-1629-0x0000000007E50000-0x0000000007E5E000-memory.dmp

Filesize
56KB

Download
memory/924-1541-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/924-1571-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/924-1572-0x000000006EF90000-0x000000006EFDC000-memory.dmp

Filesize
304KB

Download
memory/924-1582-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

Filesize
120KB

Download
memory/924-1583-0x0000000007AD0000-0x0000000007B73000-memory.dmp

Filesize
652KB

Download
memory/924-1584-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/924-1585-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/924-1586-0x0000000007C50000-0x0000000007C5A000-memory.dmp

Filesize
40KB

Download
memory/924-1587-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/924-1539-0x00000000052F0000-0x0000000005326000-memory.dmp

Filesize
216KB

Download
memory/924-1589-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/924-1616-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/4404-1588-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4404-1617-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4404-1639-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/4404-1613-0x0000000007D70000-0x0000000007E06000-memory.dmp

Filesize
600KB

Download
memory/4404-1614-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/4404-1558-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/4404-1590-0x000000006EF90000-0x000000006EFDC000-memory.dmp

Filesize
304KB

Download
memory/4404-1559-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4404-1618-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4404-1560-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/5748-1619-0x000000006EF90000-0x000000006EFDC000-memory.dmp

Filesize
304KB

Download
memory/5748-1601-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/5748-1634-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/5748-1615-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/5748-1602-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/5888-701-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/5888-698-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/5888-697-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/5888-696-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/5888-695-0x0000000009ED0000-0x0000000009EDA000-memory.dmp

Filesize
40KB

Download
memory/5888-674-0x000000000A270000-0x000000000A79C000-memory.dmp

Filesize
5.2MB

Download
memory/5888-673-0x0000000009CD0000-0x0000000009D36000-memory.dmp

Filesize
408KB

Download
memory/5888-672-0x0000000009980000-0x0000000009A1C000-memory.dmp

Filesize
624KB

Download
memory/5888-671-0x0000000009760000-0x00000000097A4000-memory.dmp

Filesize
272KB

Download
memory/5888-670-0x0000000007A20000-0x0000000007AB2000-memory.dmp

Filesize
584KB

Download
memory/5888-669-0x0000000007EF0000-0x0000000008494000-memory.dmp

Filesize
5.6MB

Download
memory/5888-668-0x00000000737A0000-0x0000000073F50000-memory.dmp

Filesize
7.7MB

Download
memory/5888-667-0x00000000740F0000-0x0000000074104000-memory.dmp

Filesize
80KB

Download
memory/5888-666-0x0000000005580000-0x0000000005594000-memory.dmp

Filesize
80KB

Download
memory/5888-662-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download