Analysis Overview
Threat Level: Likely malicious
The file https://www.ldplayer.net/?n=25143662#utm_source=article&utm_medium=top&utm_campaign=androidauthority was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Possible privilege escalation attempt
Manipulates Digital Signatures
Downloads MZ/PE file
Registers COM server for autorun
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Checks for any installed AV software in registry
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Kills process with taskkill
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-06 12:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-06 12:55
Reported
2024-03-06 13:25
Platform
win10v2004-20240226-en
Max time kernel
1705s
Max time network
1827s
Command Line
Signatures
Creates new service(s)
Downloads MZ/PE file
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\FuncName = "WVTAsn1CatNameValueEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\dismhost.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\"" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\padlock.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\ucrtbase.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\ldutils2.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetLwfUninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\vbox-img.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-libraryloader-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\loadall.cmd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBUninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxAuthSimple.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSampleDriver.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-convert-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qwindows.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDD2.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-utility-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxEFI32.fd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5Gui.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVMREQ.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxEFI64.fd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\libcurl.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp100.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\regsvr32_x86.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxInstallHelper.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSampleDevice.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\libcurl.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\regsvr32_x64.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup.inf | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxManage.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-conio-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBTest.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetLwfInstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxNetNAT.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\libssl-1_1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\EGL.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetFltUninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSharedFolders.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\dismhost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4430-499F-92C8-8BED814A567A} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ = "IGuestProcessIOEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}\ = "IGuestFileRegisteredEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87}\ = "IVirtualBoxSDS" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\NumMethods\ = "51" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486E-472F-481B-969746AF2480}\ = "IGuestFileSizeChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\ = "IGuestOSType" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\ = "IExtraDataChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ = "INATNetworkAlterEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486E-472F-481B-969746AF2480} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\NumMethods\ = "49" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}\NumMethods\ = "16" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A06-81FC-A916-78B2DA1FA0E5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\VersionIndependentProgID | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ = "IUSBProxyBackend" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\NumMethods\ = "19" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-808E-11E9-B773-133D9330F849}\NumMethods\ = "13" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CurVer\ = "VirtualBox.VirtualBoxClient.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1BCF-4218-9807-04E036CC70F1}\ = "IProgressPercentageChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80F6-4266-8E20-16371F68FA25}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9B2D-4377-BFE6-9702E881516B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\NumMethods\ = "16" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4737-457B-99FC-BC52C851A44F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9641-4397-854A-040439D0114B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8384-11E9-921D-8B984E28A686} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4B81-0077-1DCB004571BA} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ = "IDHCPServer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\NumMethods\ = "12" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\NumMethods\ = "34" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583}\NumMethods\ = "13" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51}\NumMethods\ = "28" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\NumMethods\ = "25" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-800A-40F8-87A6-170D02249A55}\ = "IExtraDataCanChangeEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CurVer\ = "VirtualBox.VirtualBox.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89}\ = "IGuestFileWriteEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\NumMethods\ = "18" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 509237.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/?n=25143662#utm_source=article&utm_medium=top&utm_campaign=androidauthority
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd557e46f8,0x7ffd557e4708,0x7ffd557e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6472 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6828 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7776 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5512 /prefetch:2
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6372984063674631199,452974187932520774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=25143662 -language=en -path="C:\LDPlayer\LDPlayer9\"
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=393932
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\dismhost.exe {4F0D808E-A6AD-46A1-8DE9-5879FB1145DF}
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ldplayer.net | udp |
| US | 163.181.154.242:443 | www.ldplayer.net | tcp |
| US | 163.181.154.242:443 | www.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 78.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.154.181.163.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.ldplayer.net | udp |
| US | 8.8.8.8:53 | cmp.setupcmp.com | udp |
| US | 172.67.70.36:443 | cmp.setupcmp.com | tcp |
| US | 172.67.70.36:443 | cmp.setupcmp.com | tcp |
| GB | 18.172.153.30:443 | cdn.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 36.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.153.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 172.67.70.36:443 | cmp.setupcmp.com | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.213.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apien.ldplayer.net | udp |
| US | 8.8.8.8:53 | invite.ldplayer.net | udp |
| US | 8.8.8.8:53 | usersdk.ldmnq.com | udp |
| US | 8.8.8.8:53 | play-lh.googleusercontent.com | udp |
| GB | 172.217.169.86:443 | play-lh.googleusercontent.com | tcp |
| GB | 216.58.213.14:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | 86.169.217.172.in-addr.arpa | udp |
| SG | 47.236.4.49:443 | usersdk.ldmnq.com | tcp |
| SG | 47.245.114.192:443 | invite.ldplayer.net | tcp |
| SG | 47.236.4.49:443 | usersdk.ldmnq.com | tcp |
| SG | 47.245.114.192:443 | invite.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.4.236.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.114.245.47.in-addr.arpa | udp |
| GB | 99.86.114.16:443 | apien.ldplayer.net | tcp |
| GB | 99.86.114.16:443 | apien.ldplayer.net | tcp |
| GB | 99.86.114.16:443 | apien.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 16.114.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 74.125.193.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 84.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ldplayer.net | udp |
| US | 8.8.8.8:53 | 3.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stpd.cloud | udp |
| US | 104.18.30.49:443 | stpd.cloud | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | 49.30.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.187.250.142.in-addr.arpa | udp |
| IE | 74.125.193.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 2.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.googletagservices.com | udp |
| GB | 216.58.213.2:443 | www.googletagservices.com | tcp |
| US | 8.8.8.8:53 | 2.213.58.216.in-addr.arpa | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | tcp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | tcp |
| GB | 172.217.169.66:443 | securepubads.g.doubleclick.net | tcp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 193.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| FR | 178.250.7.13:443 | gum.criteo.com | tcp |
| DE | 162.19.138.116:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | prebid-stag.setupad.net | udp |
| US | 8.8.8.8:53 | hbopenbid.pubmatic.com | udp |
| US | 8.8.8.8:53 | mp.4dex.io | udp |
| US | 8.8.8.8:53 | adx.adform.net | udp |
| US | 104.26.8.178:443 | prebid-stag.setupad.net | tcp |
| US | 104.26.8.178:443 | prebid-stag.setupad.net | tcp |
| US | 8.8.8.8:53 | prebid.a-mo.net | udp |
| GB | 185.64.190.77:443 | hbopenbid.pubmatic.com | tcp |
| US | 8.8.8.8:53 | rtb.openx.net | udp |
| US | 8.8.8.8:53 | bidder.criteo.com | udp |
| NL | 147.75.84.158:443 | prebid.a-mo.net | tcp |
| US | 8.8.8.8:53 | prebid-eu.creativecdn.com | udp |
| US | 8.8.8.8:53 | prg.smartadserver.com | udp |
| DK | 37.157.3.26:443 | adx.adform.net | tcp |
| US | 172.64.153.78:443 | mp.4dex.io | tcp |
| US | 35.227.252.103:443 | rtb.openx.net | tcp |
| NL | 185.184.8.90:443 | prebid-eu.creativecdn.com | tcp |
| NL | 178.250.1.8:443 | bidder.criteo.com | tcp |
| NL | 81.17.55.99:443 | prg.smartadserver.com | tcp |
| US | 8.8.8.8:53 | script.4dex.io | udp |
| US | 8.8.8.8:53 | tagan.adlightning.com | udp |
| US | 8.8.8.8:53 | c.amazon-adsystem.com | udp |
| DK | 37.157.3.26:443 | adx.adform.net | tcp |
| US | 172.64.153.78:443 | mp.4dex.io | tcp |
| NL | 81.17.55.99:443 | prg.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 13.7.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.64.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.84.75.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.252.227.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.8.26.104.in-addr.arpa | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | 90.8.184.185.in-addr.arpa | udp |
| GB | 13.224.223.9:443 | c.amazon-adsystem.com | tcp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| GB | 216.137.44.76:443 | tagan.adlightning.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | fastlane.rubiconproject.com | udp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| US | 8.8.8.8:53 | ssbsync-global.smartadserver.com | udp |
| NL | 213.19.162.41:443 | fastlane.rubiconproject.com | tcp |
| DE | 162.19.138.120:443 | lb.eu-1-id5-sync.com | tcp |
| NL | 89.149.192.197:443 | ssbsync-global.smartadserver.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 104.26.9.169:443 | script.4dex.io | tcp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| US | 8.8.8.8:53 | cadmus.script.ac | udp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| US | 104.18.23.145:443 | cadmus.script.ac | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | config.aps.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | aax.amazon-adsystem.com | udp |
| GB | 52.84.90.106:443 | config.aps.amazon-adsystem.com | tcp |
| GB | 18.172.154.169:443 | aax.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | u.openx.net | udp |
| DE | 51.38.120.206:443 | onetag-sys.com | tcp |
| US | 34.98.64.218:443 | u.openx.net | tcp |
| US | 8.8.8.8:53 | secure.cdn.fastclick.net | udp |
| US | 8.8.8.8:53 | tags.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | cdn.hadronid.net | udp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| US | 104.22.53.86:443 | cdn.id5-sync.com | tcp |
| US | 104.22.53.173:443 | cdn.hadronid.net | tcp |
| GB | 18.245.143.100:443 | tags.crwdcntrl.net | tcp |
| GB | 104.84.93.222:443 | secure.cdn.fastclick.net | tcp |
| GB | 104.84.93.222:443 | secure.cdn.fastclick.net | tcp |
| US | 8.8.8.8:53 | i.clean.gg | udp |
| US | 8.8.8.8:53 | 78.153.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.55.17.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.3.157.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.223.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.44.137.216.in-addr.arpa | udp |
| US | 34.95.69.49:443 | i.clean.gg | tcp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.162.19.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.192.149.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.23.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.90.84.52.in-addr.arpa | udp |
| GB | 104.84.93.222:443 | secure.cdn.fastclick.net | tcp |
| US | 8.8.8.8:53 | 169.154.172.18.in-addr.arpa | udp |
| US | 34.95.69.49:443 | i.clean.gg | udp |
| US | 34.98.64.218:443 | u.openx.net | udp |
| US | 8.8.8.8:53 | id.hadron.ad.gt | udp |
| US | 8.8.8.8:53 | bcp.crwdcntrl.net | udp |
| IE | 52.211.99.1:443 | bcp.crwdcntrl.net | tcp |
| US | 172.67.23.234:443 | id.hadron.ad.gt | tcp |
| US | 8.8.8.8:53 | ssbsync.smartadserver.com | udp |
| US | 8.8.8.8:53 | 218.64.98.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.120.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.53.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.53.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.143.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.69.95.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.99.211.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.23.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b0e55b0ade99d0069fba0113e0753fbb.safeframe.googlesyndication.com | udp |
| US | 8.8.8.8:53 | cm.adform.net | udp |
| US | 8.8.8.8:53 | rtb.mfadsrvr.com | udp |
| US | 8.8.8.8:53 | sync.mathtag.com | udp |
| US | 8.8.8.8:53 | pixel-eu.rubiconproject.com | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 216.200.232.253:443 | sync.mathtag.com | tcp |
| US | 8.8.8.8:53 | ads.stickyadstv.com | udp |
| US | 8.8.8.8:53 | pixel.rubiconproject.com | udp |
| US | 8.8.8.8:53 | cs.admanmedia.com | udp |
| US | 8.8.8.8:53 | t.adx.opera.com | udp |
| DE | 51.38.120.206:443 | onetag-sys.com | udp |
| NL | 213.19.162.80:443 | pixel.rubiconproject.com | tcp |
| US | 8.8.8.8:53 | image8.pubmatic.com | udp |
| US | 8.8.8.8:53 | cm.g.doubleclick.net | udp |
| GB | 172.217.169.66:443 | securepubads.g.doubleclick.net | udp |
| GB | 216.58.204.65:443 | b0e55b0ade99d0069fba0113e0753fbb.safeframe.googlesyndication.com | tcp |
| US | 80.77.87.163:443 | cs.admanmedia.com | tcp |
| US | 8.8.8.8:53 | static.criteo.net | udp |
| DE | 18.159.140.41:443 | rtb.mfadsrvr.com | tcp |
| NL | 213.19.162.80:443 | pixel.rubiconproject.com | tcp |
| FR | 154.54.250.151:443 | ads.stickyadstv.com | tcp |
| NL | 82.145.213.8:443 | t.adx.opera.com | tcp |
| DK | 37.157.6.243:443 | cm.adform.net | tcp |
| US | 8.8.8.8:53 | a.ad.gt | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 8.8.8.8:53 | u.4dex.io | udp |
| NL | 198.47.127.18:443 | image8.pubmatic.com | tcp |
| FR | 178.250.7.2:443 | static.criteo.net | tcp |
| GB | 216.58.204.66:443 | cm.g.doubleclick.net | tcp |
| US | 104.22.5.69:443 | a.ad.gt | tcp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| US | 34.149.40.38:443 | u.4dex.io | tcp |
| US | 80.77.87.163:443 | cs.admanmedia.com | tcp |
| GB | 216.58.204.66:443 | cm.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | sync.1rx.io | udp |
| US | 8.8.8.8:53 | x.bidswitch.net | udp |
| GB | 216.58.204.65:443 | b0e55b0ade99d0069fba0113e0753fbb.safeframe.googlesyndication.com | tcp |
| NL | 35.214.149.91:443 | x.bidswitch.net | tcp |
| US | 8.8.8.8:53 | ads.pubmatic.com | udp |
| NL | 46.228.174.117:443 | sync.1rx.io | tcp |
| US | 8.8.8.8:53 | proc.ad.cpe.dotomi.com | udp |
| NL | 63.215.202.146:443 | proc.ad.cpe.dotomi.com | tcp |
| GB | 96.16.109.9:443 | ads.pubmatic.com | tcp |
| US | 8.8.8.8:53 | 222.93.84.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.162.19.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.232.200.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.250.54.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.213.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.140.159.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.6.157.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.127.47.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.7.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.40.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.5.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.87.77.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.149.214.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.174.228.46.in-addr.arpa | udp |
| GB | 96.16.109.9:443 | ads.pubmatic.com | tcp |
| GB | 216.58.204.66:443 | cm.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | p.ad.gt | udp |
| US | 8.8.8.8:53 | secure.adnxs.com | udp |
| US | 8.8.8.8:53 | image2.pubmatic.com | udp |
| US | 8.8.8.8:53 | token.rubiconproject.com | udp |
| US | 8.8.8.8:53 | ids.ad.gt | udp |
| US | 8.8.8.8:53 | bh.contextweb.com | udp |
| US | 8.8.8.8:53 | dpm.demdex.net | udp |
| GB | 185.64.191.210:443 | image2.pubmatic.com | tcp |
| NL | 185.89.210.212:443 | secure.adnxs.com | tcp |
| NL | 213.19.162.90:443 | token.rubiconproject.com | tcp |
| NL | 208.93.169.131:443 | bh.contextweb.com | tcp |
| IE | 52.210.135.107:443 | dpm.demdex.net | tcp |
| US | 104.22.4.69:443 | ids.ad.gt | tcp |
| US | 104.22.4.69:443 | ids.ad.gt | tcp |
| US | 104.22.5.69:443 | ids.ad.gt | tcp |
| US | 8.8.8.8:53 | dsp.adfarm1.adition.com | udp |
| US | 8.8.8.8:53 | match.sharethrough.com | udp |
| DE | 3.120.42.162:443 | match.sharethrough.com | tcp |
| DE | 3.120.42.162:443 | match.sharethrough.com | tcp |
| US | 8.8.8.8:53 | node.setupad.com | udp |
| US | 8.8.8.8:53 | 146.202.215.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.191.64.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.109.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.210.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.4.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.162.19.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.169.93.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.135.210.52.in-addr.arpa | udp |
| US | 104.22.5.69:443 | ids.ad.gt | tcp |
| US | 104.22.5.69:443 | ids.ad.gt | tcp |
| DE | 159.89.25.223:443 | node.setupad.com | tcp |
| DE | 85.114.159.93:443 | dsp.adfarm1.adition.com | tcp |
| US | 8.8.8.8:53 | 162.42.120.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.25.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eus.rubiconproject.com | udp |
| US | 8.8.8.8:53 | setupad-d.openx.net | udp |
| US | 8.8.8.8:53 | sync.a-mo.net | udp |
| US | 8.8.8.8:53 | 93.159.114.85.in-addr.arpa | udp |
| US | 34.149.40.38:443 | u.4dex.io | udp |
| US | 8.8.8.8:53 | ice.360yield.com | udp |
| US | 8.8.8.8:53 | pixels.ad.gt | udp |
| US | 8.8.8.8:53 | ag.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | gem.gbc.criteo.com | udp |
| IE | 54.217.116.3:443 | ice.360yield.com | tcp |
| US | 104.22.5.69:443 | pixels.ad.gt | tcp |
| FR | 185.235.86.156:443 | ag.gbc.criteo.com | tcp |
| NL | 185.235.87.116:443 | gem.gbc.criteo.com | tcp |
| IE | 54.217.116.3:443 | ice.360yield.com | tcp |
| US | 104.22.5.69:443 | pixels.ad.gt | tcp |
| US | 8.8.8.8:53 | 116.87.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.86.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.116.217.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.amazon-adsystem.com | udp |
| US | 8.8.8.8:53 | rtb-csync.smartadserver.com | udp |
| GB | 92.123.242.2:443 | eus.rubiconproject.com | tcp |
| US | 209.54.182.161:443 | s.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | visitor.omnitagjs.com | udp |
| US | 8.8.8.8:53 | s.company-target.com | udp |
| US | 8.8.8.8:53 | eu-u.openx.net | udp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| US | 34.96.71.22:443 | s.company-target.com | tcp |
| NL | 145.40.97.66:443 | sync.a-mo.net | tcp |
| US | 8.8.8.8:53 | 2.242.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.71.96.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.182.54.209.in-addr.arpa | udp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| NL | 81.17.55.116:443 | rtb-csync.smartadserver.com | tcp |
| FR | 185.255.84.152:443 | visitor.omnitagjs.com | tcp |
| US | 8.8.8.8:53 | 66.97.40.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.84.255.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.55.17.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 81.17.55.116:443 | rtb-csync.smartadserver.com | tcp |
| US | 8.8.8.8:53 | cdn.ampproject.org | udp |
| GB | 142.250.180.1:443 | cdn.ampproject.org | tcp |
| NL | 81.17.55.116:443 | rtb-csync.smartadserver.com | tcp |
| GB | 142.250.180.1:443 | cdn.ampproject.org | udp |
| US | 8.8.8.8:53 | 1.180.250.142.in-addr.arpa | udp |
| NL | 178.250.1.8:443 | bidder.criteo.com | tcp |
| NL | 81.17.55.99:443 | prg.smartadserver.com | tcp |
| US | 35.227.252.103:443 | rtb.openx.net | udp |
| US | 8.8.8.8:53 | secure-assets.rubiconproject.com | udp |
| NL | 81.17.55.116:443 | rtb-csync.smartadserver.com | tcp |
| US | 8.8.8.8:53 | assets.a-mo.net | udp |
| US | 104.19.158.19:443 | assets.a-mo.net | tcp |
| US | 8.8.8.8:53 | 19.158.19.104.in-addr.arpa | udp |
| GB | 23.215.239.190:443 | secure-assets.rubiconproject.com | tcp |
| GB | 172.217.169.66:443 | securepubads.g.doubleclick.net | udp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | udp |
| GB | 172.217.169.66:443 | securepubads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 190.239.215.23.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | udp |
| GB | 216.58.204.66:443 | cm.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | rubiconcm.digitaleast.mobi | udp |
| US | 34.95.81.168:443 | rubiconcm.digitaleast.mobi | tcp |
| US | 34.149.40.38:443 | u.4dex.io | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 168.81.95.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ldplayer.net | udp |
| US | 8.8.8.8:53 | id.a-mx.com | udp |
| NL | 185.89.210.90:443 | secure.adnxs.com | tcp |
| DE | 79.127.216.47:443 | id.a-mx.com | tcp |
| US | 8.8.8.8:53 | ow.pubmatic.com | udp |
| NL | 185.64.189.116:443 | ow.pubmatic.com | tcp |
| US | 8.8.8.8:53 | 90.210.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.216.127.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.189.64.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prebid-server.rubiconproject.com | udp |
| NL | 213.19.162.71:443 | prebid-server.rubiconproject.com | tcp |
| US | 8.8.8.8:53 | 71.162.19.213.in-addr.arpa | udp |
| NL | 145.40.97.66:443 | sync.a-mo.net | tcp |
| US | 8.8.8.8:53 | ups.analytics.yahoo.com | udp |
| DE | 3.71.149.231:443 | ups.analytics.yahoo.com | tcp |
| US | 8.8.8.8:53 | 231.149.71.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d3n1ms4uhtqgov.cloudfront.net | udp |
| GB | 18.244.115.100:443 | d3n1ms4uhtqgov.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 100.115.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| GB | 18.172.153.23:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | d1arl2thrafelv.cloudfront.net | udp |
| GB | 216.137.34.91:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 23.153.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.178.204.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.34.137.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.216.138.108.in-addr.arpa | udp |
| GB | 216.137.34.91:443 | d1arl2thrafelv.cloudfront.net | tcp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 97.136.219.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| GB | 172.217.16.238:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| GB | 172.217.16.238:80 | www.google-analytics.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1e3dc6a82a2cb341f7c9feeaf53f466f |
| SHA1 | 915decb72e1f86e14114f14ac9bfd9ba198fdfce |
| SHA256 | a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c |
| SHA512 | 0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36bb45cb1262fcfcab1e3e7960784eaa |
| SHA1 | ab0e15841b027632c9e1b0a47d3dec42162fc637 |
| SHA256 | 7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae |
| SHA512 | 02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fab58eab07cec82f4c0454fd14b6f4fc |
| SHA1 | 0284da2a8dbf857aed2034470d15549adba7ca66 |
| SHA256 | 2eb52b01cc0ebaa26e18667a25c1c6da61ae310fa2d25bf78fdb39db2ef85f8a |
| SHA512 | fb1405e53a31ce6cc9248b99a2030fd49125a2e9ae94fd4e78e6821ee83bfe3dba88d006a59c95f3812a299bbebd054341a32680b129d613d69fd0d38e73f51d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 819298bde23771042e23c6da88263515 |
| SHA1 | 1e0633dd2d60e96308479df1fe4563d49a115ea0 |
| SHA256 | 7d72a7f4ecdb381aa5c9c6f8cab8d46d32346345d0fd4da8fc679a62d4535b18 |
| SHA512 | 30fbc3286aa2ecfb043681e23eb5971bbb6fddcb380c9028112c6ad6b96703d223dd238768e8eced64d107c3dece9322d499a2004b25e48841907bf01f7f2810 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0c24946b7c921764365d169dcf40698f |
| SHA1 | 1b2600c7b0e2e48d7dc138211135465c98273eb8 |
| SHA256 | dab4ab463a9a5f6bc108a64411f5c7b6db0716d713ce68704de78000c6549f0f |
| SHA512 | 11c814398136f9e7b96096993692ec14eed25f0239b49e16611ea7aa1ba63f81200585caa1de7a326ef1dec4941354454c9da57e877fd5f728cea17a3ae14e88 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a95026cee7b4881a4b9f4c592b782938 |
| SHA1 | 97866151b126e56e8f406656667952b33120a734 |
| SHA256 | 9fecef4ff7db47e3fe984bc480742308b25e13ace30b882f30988e92524f1ad8 |
| SHA512 | 9871945ebf7bafe7664818792390242b38ebc4714dcbd7aafb06d9270f14f89a96b43c24292c017922d61b885b492dbfad7dd6c89fe9a1d5548adf1671cdbba9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 33512ecc142374267de05b9347128b6c |
| SHA1 | c20f4b301175abf17d878533fd5767b30494eece |
| SHA256 | 1913c713a5fb074a97d09c87c9235be942071bd04c89c23b9a64f8be93c84108 |
| SHA512 | 5d564d38f45c17fba369b82471773a8ce397e8cf71fe671f12ea5ff6c8a24c9ef68ca85ef8a3280cafb35fb8f3cb2f7e5a0f9f8bf1e30e12e21675809daa215e |
C:\Users\Admin\Downloads\Unconfirmed 509237.crdownload
| MD5 | ccdbdce1580a2eefc3e958aef0544039 |
| SHA1 | 70d0d4b946f4ed0f7d8cb92022a2cb84040a69f6 |
| SHA256 | 385b123d8b7ef199d01ec974ff9d25c1a46619af0fd004aea6898e7b5bd3417f |
| SHA512 | 623a4452684a3d8f8aeba5efbe1b2471c744c1eeeddef92779980b8fac9e69815204743e9b79f4484c93d6f25cec3b42b44335ce708db88605db3e154ada993b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cd9cff66208a62afb9dd9476dd2cf2c5 |
| SHA1 | 477912794f06f3d0905787ba55aa0a9f890c2a0e |
| SHA256 | fde06b2977757cecf53cb2dcf1b3dd29318f9e400ad9d68ddbba2e54d1ae9500 |
| SHA512 | 86111cd4a056a66b43f276b5c886e156a3310c48547733afbd7b49843077ff66666aa95dec329519973b7f9f7abc03f7afa71acda0e2c6245e479d7b7fbd9bdb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 21f134d986b8af89a10d1b2a2e1f8793 |
| SHA1 | a97162d008f9b220baf71b639e043c0bbfd1d2eb |
| SHA256 | 087bd6a9aa220139248321f64c14a469be2b36fbb39633b25a49f8d028d1c57c |
| SHA512 | 52dd388d0ec675240e31dcb1e7f41d9f4d82c68551213b8fa42c4b47b17fff24b4e13cc93dc9ec6d418bdf0afe1085e01a0d53a995742fed93ecc387c46486a1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d376ab708b4efa3be05e2603a747fece |
| SHA1 | 39704cae2474df6b98740376d9ce41df4a00890d |
| SHA256 | b0479b1a0d9b8dd09986b3a8d37e26f71abf6f1037f46a897c473ec3b5184620 |
| SHA512 | ad60a9c17b03c438399c785068a440a49603907c33a017f1a07c85cac9ffa8fee754b722de8faef387946fc712acadcbbc52b2a7be1ddbb957fdd57dfb529b87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59266a.TMP
| MD5 | 427e5b6faed6d0dccea00a18a7146b55 |
| SHA1 | e38a30dc61d038bebbc2fac9a40a920b745254b0 |
| SHA256 | ff7d15290f00ef1668f2011262a430c711c975690fb0f7f8417484246274281e |
| SHA512 | 8a386bb13dbfd5787f59edda9da1628963db4864faad7b5cd9e956266aed79be5f9087a65bb6da16ab889440b9a59e38252bc5ef9c07428e06390353fd108f9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ace6cf4d89f42c89e6d811c143f4efa9 |
| SHA1 | 5f6208d64ff8ba2f5dece835f8f82cca18ffe127 |
| SHA256 | de8e021789c526b5c4f2eec3aafe4fbc091a80fdb2987f47cd9d8eb034f16037 |
| SHA512 | bfa767be6bfaf8d5b46d56da4ef259da87c27087443d2d741983875091e3fe8b37299c61cb559dbcdf4bcd7ea2d99d027887f785c1ef81cb4a6a76b0fe696285 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6548942b346afc482f759a6f7adab38a |
| SHA1 | 0fff5afbfe4b7b19a129950ba2e8fdefbb0f4a40 |
| SHA256 | 4171587d681e8b28eeebcba3fee524f6598421a5fbd759f03a14db6d34ae0337 |
| SHA512 | 6282db42bc911caf18bc2ab0357ad026b4cf888a2094744766ae9d0e290718f12ed0666b7b92281fb5e45e7a12121fdc97a54e6f91e01b0ecb3d74281c4ff553 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | dfab14b182ae6cbf8e780ad419af9a16 |
| SHA1 | bf7ce7b10b288497d431a0de26da88f4d89c798f |
| SHA256 | 391e9bad9a7032b6044f9295b9a92453b882cc3ff782a71a4686c28428fa482a |
| SHA512 | 9bea1e1a0fc1ec01dee207a70968fd01a33aeac6768d7a6fd3575c298ad3f47e5056274d4c10a1f3cdbfb14ccc9f7810d1e21f6731b05266437caf85b2b345c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 81b77168b174e54a3db29d85facba28b |
| SHA1 | be26dfebf256bb4962bc0740f8c6a6f853008d97 |
| SHA256 | 6aba23c8baaca0dda78e2b1a77ac9343191bde5603cda687f6c56e7385bc26e5 |
| SHA512 | 8ea7e30a54e0ea2418c7a9bd1de63206ad6886a99803eead2eb085b788822cf1b99f81b58a405a8a7f6d943e8f30f980ed086530b3a0ed4b2ba23979b436033c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c510b121f9eb4ad4de7354dcaf2ea24b |
| SHA1 | 4eb3bdcda2b197f46149661b02a1fd7147c58b38 |
| SHA256 | 96f10ec98f12f071c5fa42d0d9263c6bb95eaf9339867bc63ab4e993215e3baf |
| SHA512 | 9e9da02a71bac9543c84656baf560ff73fc5994fdc076eef1c1fe5d98c83770173ffeb8cedbc9391eaf721e4f0ec479e7b88e68fa8623a0d8a617a067553f2c4 |
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
| MD5 | 7c2e5ef59e9589422bcd5bf3726fbcb1 |
| SHA1 | c4dac6966ac4cd3500d6a7fe44138a0db639d507 |
| SHA256 | 6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd |
| SHA512 | 28870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ff2dd468b05d6b2bb1ef6a1161802fe3 |
| SHA1 | 291248c6b1389ac6810c803d3e044fb7300a69ce |
| SHA256 | 15bcf194dfde7ad758d4f0e37d3a1a50498da4446f7c85a9c9885a80c622e1f6 |
| SHA512 | 1f9aa12b5ee4089915fc14655c3bcffb365d674b4b37a658f0672ce879fc779379feac3ae8471faa4a50afe269d91c985862fc992af9821d3fdaafb15bc45190 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 759323ae85cb98313ef69905c07e15c5 |
| SHA1 | df28370d693154f9d295c209621a2248d634ccd5 |
| SHA256 | 70d9cb01cd1767e116a8f80b1238ac442083857ec13fbef0805ce9552002d493 |
| SHA512 | 32a0767569839bec6f3d3e902ec0d9737dbbddeba42b7416d6ae7dbeaac174e82cb3e02740a6780da824c7294c544fc41295c578f5d5462b586f05b47b5b2e05 |
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
| MD5 | b94393bf4c77ed64ec839c28c7947c9c |
| SHA1 | c41e23fcf7fc7be9aea5f757b382dcd8156a4c3d |
| SHA256 | 1b4d2cd046d04a94813a1930f75bba373ab932f49fcc969c81a5498f7ac989c2 |
| SHA512 | 90e059d5b30ff4527a21dd4815c522a2833195b2db5a58839933b6e2e26fce7009175fc02d8dbaa8fd6a649335a687e8db62a6ebd72e7b6772a499ff2c7e2976 |
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
| MD5 | 720f7f127c4cc303cd6232b6d17ae932 |
| SHA1 | c78072dba5451e235069322f89dfcfe6667f591b |
| SHA256 | 7a90fc13199a03918ba5e6c0b52f1fb80a5d14f426f921aa88607929a375aea5 |
| SHA512 | 41fefe68404678c10febc2a280bee10f46a0d1ebdf4d6b3253fa0f4782d08d2f88cbcf34a92969b7e60216aaed33e76d1c680804a356e344f30a11b9a9311d52 |
C:\Users\Admin\Downloads\LDPlayer9_ens_25143662_ld.exe
| MD5 | ea06400812db536cd5ec6544bd844000 |
| SHA1 | 8f22db3d3f4432b4f8b89d36339a999a9c9b7350 |
| SHA256 | 30d02c376fa56c85037bd1ab842c17c9e332d8785d273279cc59f5040516afa3 |
| SHA512 | ba745bced97684fdb73d690a67b0a343a998e8cc0592e74d7018b268975d94e2131cdc1ee6fafd3e59d0f609b82e8d425ae2e4ab1d174037b8f33496a09bacc2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b551087ab8bec9f65c8afb7fbc026b6f |
| SHA1 | e7b79c62623b3a26a5b50cfedb1567dfa88fb836 |
| SHA256 | 5fe126fd94388910836c0def6764c3cea3b51c3bc88f659702320272de693c95 |
| SHA512 | a5dabb2198575456cda494cc48f7c2fc89a071564fe1a6fcbf72e32ce9fe4512acfff7954613d3247161721c7373f04688a31445061bd553c41e88fdb0813944 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 82611273b64989f2c04f87bdecca2da9 |
| SHA1 | 71e659b3c1d45397ee42f933a92657a6b4e49f97 |
| SHA256 | eeb101fccc38dc8234b099d9d50815834d3017319fb75ace345dc3b746dbc4f5 |
| SHA512 | 6be4a86d44f7902effa8351d963b7a60c7156e12389cf83b668cfd694a0282a2bba6892b873b4cc31762af3574ccfc4271d40da2b36361067c06ba6b6c57fa3a |
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | 7d5d3e2fcfa5ff53f5ae075ed4327b18 |
| SHA1 | 3905104d8f7ba88b3b34f4997f3948b3183953f6 |
| SHA256 | e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4 |
| SHA512 | e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589 |
memory/5888-662-0x0000000005620000-0x0000000005630000-memory.dmp
memory/5888-666-0x0000000005580000-0x0000000005594000-memory.dmp
memory/5888-667-0x00000000740F0000-0x0000000074104000-memory.dmp
memory/5888-668-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/5888-669-0x0000000007EF0000-0x0000000008494000-memory.dmp
memory/5888-670-0x0000000007A20000-0x0000000007AB2000-memory.dmp
memory/5888-671-0x0000000009760000-0x00000000097A4000-memory.dmp
memory/5888-672-0x0000000009980000-0x0000000009A1C000-memory.dmp
memory/5888-673-0x0000000009CD0000-0x0000000009D36000-memory.dmp
memory/5888-674-0x000000000A270000-0x000000000A79C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | bc2a8fb24f806322bf7f7362a1db8f1c |
| SHA1 | d51e5d9b985e50654e14949995cb0aa2ebedc175 |
| SHA256 | 0df0971bfb0badb022a1363b08ae2902e115d28da35093636950088d65b0a187 |
| SHA512 | dcc5ffaced9be2edd5e631caf9fd15f2434f7e5cdf9f8455fe64760aaed5f58227e766e7c040a5a9a7db6e1d4066daefeb00284cc203407c6d3b416dbf67795f |
memory/5888-695-0x0000000009ED0000-0x0000000009EDA000-memory.dmp
memory/5888-696-0x0000000005620000-0x0000000005630000-memory.dmp
memory/5888-697-0x0000000005620000-0x0000000005630000-memory.dmp
memory/5888-698-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/5888-701-0x0000000005620000-0x0000000005630000-memory.dmp
C:\LDPlayer\LDPlayer9\LDPlayer.exe
| MD5 | fbef175a8cdc6e8618521d6b7dbb2020 |
| SHA1 | 4a91f97ed672dc9af3badcced729fdf0b5fbf40b |
| SHA256 | 7dca457019cf21b7bb5770080a17822238e4cef2c819d499d1f36a492be99650 |
| SHA512 | 5bcd5e4e67a63720ac5a0915765168c8a977574bc919cbdbabcd0770d072faa80ce10be51d0da41d580773df0c6efbb917c6321b1345dfd0a4f5110fbe9c5f23 |
C:\LDPlayer\LDPlayer9\LDPlayer.exe
| MD5 | 0686471f9a15fc9fad42fe347cb1bf0f |
| SHA1 | b80910dec7faac60011107d1a9b29dc09d0834b5 |
| SHA256 | 2cc66bffec5b96758529e867d2f42ab2c00203f8df286d67ab3664f206d7f1f1 |
| SHA512 | 2539132fcd84be99ccb1027c663d8bb261b9f886e3eb314f0dd652e1779b255920dad622aa4a9ca1712bdebc75375ccc3922bee2bcc628914f868b013f985a5c |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 2bf1f07d681eec659f4bcb21979f646e |
| SHA1 | 795aac7ab3cc5c390afb1225409c7a4899d81a94 |
| SHA256 | 55423a27b7a4a07d43af47aa53628a0cb6ea8a0de4718b00df618cf6d4adb8cf |
| SHA512 | 9b06cfc773a99959cc3232becf6575f324dcb0ef150a51490d1feb3d85d9217a7bc0577645fa08562e23b9e8311d1e4b2b8b1b7afd5f6777b451f395dc15c0f5 |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 67e5cbb3210a5273b3b02f87fa94387d |
| SHA1 | 330c303564a420557a4e2a5c9b75282196ed6853 |
| SHA256 | 918baec0b71678b8f1bcbb4b8db71afb438a0495dd2113926a370130cbb01cba |
| SHA512 | 80c8903b44ec7446ec61c4e0c9ea2af1c09fd249f942f2d0b9240d661b304884f9c54f1286af8968e68381a56fd321fc1c05691043eb0d9c3ee46090f1827403 |
C:\LDPlayer\LDPlayer9\MSVCR120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
C:\LDPlayer\LDPlayer9\msvcp120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
C:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | 8da2312c92040413e8cbff49bbd8693d |
| SHA1 | 3016688309a86c38bceaa6cbd7accf9d60f77dad |
| SHA256 | 16e44ffd34be068bc00712ac650adb19c1e7fdbe29b6a99b8ed8d34fb5bdce3e |
| SHA512 | f2e56d01dc2bc5c7ddee4e39ea341791efe1fbf7a7ee1a4b76770667b5cbc83fce83ce7f978c857059ee536c27d132b4204c9691e03565736f413a41aecc0a41 |
C:\LDPlayer\LDPlayer9\crashreport.dll
| MD5 | 6798fff2f289661b6e6eb25e03f859b5 |
| SHA1 | 927ce8b1e3e0040437161be6fb69bc194fd48abe |
| SHA256 | ca7232633e1fb50ec87b77c15c346c653c0b81587df45fb6f1a813ab05d9da00 |
| SHA512 | 8b1ca7ad245a043fa00533bcfff5870b1bf78c8ffbdfe5c57bde3663b65e07f73fe3418ec0eacaac837e510505fe39338f9deafb41984d8e62727180028ed7c5 |
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
| MD5 | 2a31f29646fa2ded1db8f8670f06f7a3 |
| SHA1 | 267a436278ac47177e0db1ece5dc254b3f46dfa9 |
| SHA256 | 7c76da18b150595f17bb7193d7c222e679cea15e50488626845340e2aa679fe1 |
| SHA512 | f4bc4c19505371f5f501ce3982e129561664c193ce32ca8b02ca37464d3066a8dd231c51db2df17e93054f43a31918799c1be64aa33a32cf562b6b92f85dd490 |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | 0bff82d11b422d74a4eb0c8a9e6ac4b6 |
| SHA1 | 0fcad20fee86d7ec38368a25daec6a1838ae8bd5 |
| SHA256 | 1bab3b9a847d4a5491ab5695a0afae562db8750d9c3300e804f2900b1e98f5b6 |
| SHA512 | 52824f7103fd5d66621f1b515b4932e072f38a3ee4d540efae9691511afa9f4260153fb57958a5aa64d371c708e1406fc0e8edb01bf6e036e13290501731a051 |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | e69e4aaf235a85b6641a02b4e3ed7ce8 |
| SHA1 | 502e5323d750da6b7acfcf0c78616693d961fdea |
| SHA256 | 28c99279372d8f5d0950454f9c5daa14328901931afdc7ba8eec29c90437bf9f |
| SHA512 | a854b8ead63d952220667c3912ed8111b24a140b53ef5c8f28b0f339a7d9cde09f8e8f103ddadadaf9bb12e735ee2645261b6c2030d7c6d87905f46edbe6fff4 |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | 39574e2d2bd8f11b07bf8f5ae22853d9 |
| SHA1 | 8b62d5c9c85df1e83c82ab2fae278564eec0d5c8 |
| SHA256 | 2b795abef93434e91d73350da37f7c63670f03d10e0733a0468b5d79fe7d666d |
| SHA512 | e77114671a1a1545996fd0f8ce58879cfa20d1adbbb9f281dfe6ae96d36ca9c51645615e93cfc81b029b12ec181d546c599c3d30b7b0b7e4d1247d8806cec622 |
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\DismProv.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 59c92e1889a3ca130d0fb47d237a0353 |
| SHA1 | be6f96b3f8f484c99116b9972b70e9ddcfc22d69 |
| SHA256 | e121e3cc52d3456c72c8acb9c2223ba6ca3dd2f78339f3503f1f347a7487f284 |
| SHA512 | f129744fa4f70f9c2abd71060206254ec7784a83dbad5dbde2563f2eaaa296fdee0fc3a460a58b007f12dfad8e7dcd7db2533bf24cfb1da671d949a54d93bc10 |
C:\Users\Admin\AppData\Local\Temp\99E86F0F-C2FB-4665-B467-6885D4D9DD0C\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | f454926b165e097550d20fb38638f00d |
| SHA1 | 976ce130d5a0c68243c8db0efcfc3d3635725c1c |
| SHA256 | 01890344520eca8fa59de6819b4d2ebedd6ae64d333450812ecabd52e60dbdd4 |
| SHA512 | 699b6e4475e3d7d0cdffa522303507fbcec54c943b043345ae919721e76372bfae215470a8f39ce21bcb75fbe763117a8fa1bddc5ad9c089452d8df42e980a7c |
memory/924-1539-0x00000000052F0000-0x0000000005326000-memory.dmp
memory/924-1540-0x0000000005AD0000-0x00000000060F8000-memory.dmp
memory/924-1541-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/924-1542-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/924-1543-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/924-1544-0x0000000006130000-0x0000000006152000-memory.dmp
memory/924-1545-0x00000000061D0000-0x0000000006236000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4idrv0so.wxu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/924-1555-0x0000000006320000-0x0000000006674000-memory.dmp
memory/924-1556-0x00000000068D0000-0x00000000068EE000-memory.dmp
memory/924-1557-0x0000000006920000-0x000000000696C000-memory.dmp
memory/4404-1558-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/4404-1559-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/4404-1560-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/924-1561-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/924-1571-0x0000000006E90000-0x0000000006EC2000-memory.dmp
memory/924-1572-0x000000006EF90000-0x000000006EFDC000-memory.dmp
memory/924-1582-0x0000000006ED0000-0x0000000006EEE000-memory.dmp
memory/924-1583-0x0000000007AD0000-0x0000000007B73000-memory.dmp
memory/924-1584-0x0000000008220000-0x000000000889A000-memory.dmp
memory/924-1585-0x0000000007BE0000-0x0000000007BFA000-memory.dmp
memory/924-1586-0x0000000007C50000-0x0000000007C5A000-memory.dmp
memory/924-1587-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/4404-1588-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/924-1589-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/4404-1590-0x000000006EF90000-0x000000006EFDC000-memory.dmp
memory/924-1600-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/5748-1601-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/5748-1602-0x0000000002490000-0x00000000024A0000-memory.dmp
memory/4404-1613-0x0000000007D70000-0x0000000007E06000-memory.dmp
memory/4404-1614-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/5748-1615-0x0000000002490000-0x00000000024A0000-memory.dmp
memory/924-1616-0x0000000007E00000-0x0000000007E11000-memory.dmp
memory/4404-1617-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/4404-1618-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/5748-1619-0x000000006EF90000-0x000000006EFDC000-memory.dmp
memory/924-1629-0x0000000007E50000-0x0000000007E5E000-memory.dmp
memory/924-1630-0x0000000007E80000-0x0000000007E9A000-memory.dmp
memory/5748-1634-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/924-1635-0x00000000737A0000-0x0000000073F50000-memory.dmp
memory/4404-1639-0x00000000737A0000-0x0000000073F50000-memory.dmp
C:\LDPlayer\LDPlayer9\dnplayer.exe
| MD5 | 0e2bbd8da8468b1c69dfd189278d76c2 |
| SHA1 | d53b3795a67f0936a892ca9a7a35b4808d83046c |
| SHA256 | 8d23d8307f167421a298d676a88960df0c54201b4d5085b254f3189a23126891 |
| SHA512 | 1c5c0ed65b23169e939911a15f9b357ae66143b72408d8d7b0e4fa9a2fa97b6182140bd71fddc7ed25f4b7b3e34ad55e239f16eb7a6c5b6370acd9f8e0302485 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
| MD5 | b72e8066f8f4256ed8edb855e258dc53 |
| SHA1 | 07c8dd9449707df179b997a2d13e0bb66e4ef49f |
| SHA256 | fbadb8e49e373db7659252af834a8de385b2f4ea90188ccc1c45083f647c3e3a |
| SHA512 | dac81255e93078f8b617460129cdcaa9a825cfe3f7493982a07794ca01f9328669741696dfd14c8dd7e25b90fa6b6b725233b36a3c23e0a4ade30603b06d99fc |
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
| MD5 | 5d246c259a00d05b1575ba07cbc4d34d |
| SHA1 | 8a14bb6fe0956b0691744f146db7e7b05375424f |
| SHA256 | a443837b7a43522fde208f02c866ec199f69337722ea969c1f89d15577122869 |
| SHA512 | 39340a5c21e70b270ad580c937a57a52045ca2f4521db29ad6ea40cf9f4a0e67b97d4ab08e85dec25e684bb2f37d0c6121796a7e630d1ed88f5c951410aa7d70 |
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf
| MD5 | fbf8ea26474e5498c9b3a04fee105414 |
| SHA1 | dfc94b6a7767889d2a1c428a8f057a6617e23cde |
| SHA256 | 41635514f6bcf0cb33fdc6e6ca64e7a401abdacd1a25762edd8e83d52899bb3b |
| SHA512 | f4c7f345dbba1431c25c9f2e6ae9c856110d439ea3857fd1df6210beb04c53097fff85b37628e9473084cdb7a037ab1d76c26878b8bb0413c6e39bdca0a93c3c |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
| MD5 | 4ba25d2cbe1587a841dcfb8c8c4a6ea6 |
| SHA1 | 52693d4b5e0b55a929099b680348c3932f2c3c62 |
| SHA256 | b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49 |
| SHA512 | 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
| MD5 | 3e29914113ec4b968ba5eb1f6d194a0a |
| SHA1 | 557b67e372e85eb39989cb53cffd3ef1adabb9fe |
| SHA256 | c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a |
| SHA512 | 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
| MD5 | e8fd6da54f056363b284608c3f6a832e |
| SHA1 | 32e88b82fd398568517ab03b33e9765b59c4946d |
| SHA256 | b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd |
| SHA512 | 4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
| MD5 | 52c43baddd43be63fbfb398722f3b01d |
| SHA1 | be1b1064fdda4dde4b72ef523b8e02c050ccd820 |
| SHA256 | 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f |
| SHA512 | 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28 |
C:\LDPlayer\ldmutiplayer\libeay32.dll
| MD5 | ba46e6e1c5861617b4d97de00149b905 |
| SHA1 | 4affc8aab49c7dc3ceeca81391c4f737d7672b32 |
| SHA256 | 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e |
| SHA512 | bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
| MD5 | 2d40f6c6a4f88c8c2685ee25b53ec00d |
| SHA1 | faf96bac1e7665aa07029d8f94e1ac84014a863b |
| SHA256 | 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334 |
| SHA512 | 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
| MD5 | 01c4246df55a5fff93d086bb56110d2b |
| SHA1 | e2939375c4dd7b478913328b88eaa3c91913cfdc |
| SHA256 | c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889 |
| SHA512 | 39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc
| MD5 | f845753af4cc7b94f180fb76787e3bc2 |
| SHA1 | 76ca7babbb655d749c9ed69e0b8875370320cc5a |
| SHA256 | a19a6c0c644ce0e655eaf38a8dbddf05e55048ba52309366a5333e1b50bde990 |
| SHA512 | 0a3062057622ffcff80c9c5f872abdf59a36131bfc60532c853ea858774d89fed27343f838dfe341dafe8444538fc6e2103d3aa19ef9d264e0f8e761c4bfce81 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
| MD5 | 66df6f7b7a98ff750aade522c22d239a |
| SHA1 | f69464fe18ed03de597bb46482ae899f43c94617 |
| SHA256 | 91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f |
| SHA512 | 48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e |
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
| MD5 | ad9d7cbdb4b19fb65960d69126e3ff68 |
| SHA1 | dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d |
| SHA256 | a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326 |
| SHA512 | f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7 |
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
| MD5 | 15f8c475ea01b5bebf5c5c1f2fa4042f |
| SHA1 | 33c812527cb13a7ca9480711e862e894e8d0ec23 |
| SHA256 | 8191f03dca35a3a95ec8330d8f679010f2ba6f511c530e14edeeac48f86dbad3 |
| SHA512 | caa96ca4e6e5936f5b7af09cf4a54d11c1c58cb26ab091f5e0f06ae8f63f62e6a5d0b1225a201a5fca02ffacf829d97a738857abe416aafa21d429ce2e8c433e |