Analysis Overview
SHA256
86e78c5424bca2e9f9b84c50e251118573dc22bcee6ff908362b6b0e37205bdc
Threat Level: Likely malicious
The file LDPlayer9_ru_1007_ld.exe was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Creates new service(s)
Possible privilege escalation attempt
Modifies file permissions
Launches sc.exe
Loads dropped DLL
Registers COM server for autorun
Executes dropped EXE
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Kills process with taskkill
Runs net.exe
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-09 08:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-09 08:10
Reported
2024-03-09 08:12
Platform
win11-20240221-en
Max time kernel
77s
Max time network
152s
Command Line
Signatures
Creates new service(s)
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\FuncName = "FormatVerisignExtension" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayer9box\bldRTIsoMaker.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\loadall.cmd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5Core.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-string-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\libssl-1_1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.inf | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\capi.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup.sys | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxExtPackHelperApp.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcr100.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\fastpipe2.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5WinExtras.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayer9box\msvcp140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\ucrtbase.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxEFI64.fd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSDL.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-errorhandling-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-stdio-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5PrintSupport.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-math-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-memory-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9VMMR0.r0 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\load.cmd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-process-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\vcruntime140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup.inf | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMMPreload.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\regsvr32_x86.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-profile-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\GLES12Translator.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxAuthSimple.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetAdpUninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5Gui.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SDL.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxEFI32.fd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetAdp6Uninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qminimal.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDTrace.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\dismhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\dismhost.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\ = "IMediumIO" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6FA-430E-6020-6A505D086387} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\ = "IProgress" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\ = "ISystemProperties" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}\ = "IUSBDeviceFilters" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\ = "IToken" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0126-43E0-B05D-326E74ABB356} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0126-43E0-B05D-326E74ABB356}\ = "IMediumAttachment" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ = "IKeyboard" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ = "IDnDTarget" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\ = "ICloudNetwork" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7708-444B-9EEF-C116CE423D39} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E72-4F34-B8F6-682785620C57} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3\FLAGS\ = "0" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4B81-0077-1DCB004571BA}\ = "IDHCPConfig" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}\ = "ISnapshotRestoredEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4737-457B-99FC-BC52C851A44F}\ = "IKeyboardLedsChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}\ = "IUSBDeviceFilters" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\ = "ISession" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\ = "IMousePointerShape" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ = "IMachineDebugger" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ = "IEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7193-426C-A41F-522E8F537FA0} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7071-4894-93D6-DCBEC010FA91} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0547-448E-BC7C-94E9E173BF57} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-08A2-41AF-A05F-D7C661ABAEBE} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-762E-4120-871C-A2014234A607}\ = "ICloudProviderManager" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\ = "IInternalProgressControl" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}\ = "IAppliance" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6989-4002-80CF-3607F377D40C} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0D96-40ED-AE46-A564D484325E}\ = "IMachineEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4737-457B-99FC-BC52C851A44F} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\ = "IMachineDataChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\ = "IMousePointerShapeChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ru_1007_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ru_1007_ld.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnupdate.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1007 -language=ru -path="C:\LDPlayer\LDPlayer9\"
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=721158
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\dismhost.exe {5F8D3E15-B1D4-4A49-A075-5989794D2060}
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| FR | 13.249.9.21:443 | encdn.ldmnq.com | tcp |
| GB | 142.250.178.14:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.128.155.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.193.84.52.in-addr.arpa | udp |
| FR | 3.162.38.2:443 | cdn.ldplayer.net | tcp |
| GB | 142.250.178.14:80 | www.google-analytics.com | tcp |
| NL | 52.111.243.29:443 | tcp | |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
Files
C:\LDPlayer\LDPlayer9\LDPlayer.exe
| MD5 | 4f2f1fceba830beb49b586ed39e58f56 |
| SHA1 | c57a01e114f7d3b104a766c1087a41fa6a4024e4 |
| SHA256 | d2e179260574ae87fd7caf8721de24de79a35ddc6c79b99b66a8f155dcb01e2a |
| SHA512 | a145ec950d6866829a90ea89f57ef0740a7a8c272308cefeded60e79f3cbdd227c6cd148f708aa496ba8c67a5001914a1e769beae84517bbbfab22db69f9b016 |
C:\LDPlayer\LDPlayer9\LDPlayer.exe
| MD5 | 1b0688d37dd730431e0f646b47b67edb |
| SHA1 | 8d498adfdb9d6f2ca25a3d7c29a5c2b4f310fddb |
| SHA256 | e23eda06365aa97b6cc11f56a2f9b2b411898c1941d0770d51fcc2a793b93f78 |
| SHA512 | 5c8f887954f6d6512e1ee87b24f75c46d5e930d924099df06b7f5f423dbf4240cb1a10f4260ce04e4690cacb49318024a32085618c959f353e0ddc3ae4bf579b |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 1f250c6a88fb5c7595e99ab4a2d4ec86 |
| SHA1 | 14b938b1701edaf82660fac264e9560f2eb5a496 |
| SHA256 | bd7626f84f36e53f0a0209934fe0d99c87963f4a87a3766ef0581c8f0c5129d4 |
| SHA512 | 82125e3a678627631068c2a1a13e038b621a905956e7b7f44304cc0f09caea42bfcc85695ec9633d2a9033f400ae20dbbd079024f692b5fb894d0fce92460b9a |
C:\LDPlayer\LDPlayer9\MSVCR120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
C:\LDPlayer\LDPlayer9\msvcp120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 5fcd9e1e4a8f4a40215a0ea5718467e0 |
| SHA1 | 3475e755b2a4dcbd58c5f68a5dc1c842f1ed16fe |
| SHA256 | 13ed6e1742c8633dc24e362fba7672a8d8cb905c07bb34d066c78294df0e2798 |
| SHA512 | 0aebb55fb46f4fa67cae95ec5e0d525716326e035ccbddc38d8cbb00ceb3e83c543b11536e01680068a40438c52614c74d7706218ebb8381b7fe9c8224ef71ea |
C:\LDPlayer\LDPlayer9\crashreport.dll
| MD5 | ab2970e1128ad247ad84c88270f1208c |
| SHA1 | 7efb9bde29794270d6bc2688ce2d1304bc95771f |
| SHA256 | 3734164dd3de192b57290890e7c98a50d39038dcb94f870c0269af5a7b97a978 |
| SHA512 | 3f616db170d8297f47a35770d737a20bfc8fc280ccd04b57f95b8fb27576d36fa8b9f604547c4d91bec2470a4e89ecfbf3f528977cde1a2930ea8891ba3f758a |
C:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | 4561fe029159981f3a0dbb6824ae71bd |
| SHA1 | 464e76682ad1f14d0aca95dcc7578de87013f39e |
| SHA256 | 84152f0c5709fe0e4838b470c161ec417e67190eaf41881182ea6998cbbe4057 |
| SHA512 | da9b9a3c28589539a9986d96e6f01db52054e3132f69900231cc03a64372f5f816200809be6ac7f001c1c525e846c7a507bfd60fc0a022d838b7b487e6eccaa4 |
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
| MD5 | 3c8780c98bc3f49d7c3cbf904ab0dc89 |
| SHA1 | 034b656acd111ae7b017e5e7d0c0a1bbc051009e |
| SHA256 | 57ae6f0df49fa1daee499a04d9bec337d8b7ccb1ce67948d2a7de66ef5b297f1 |
| SHA512 | cd37833033452cc2d6c34db2e07a77d3fe154a5c905168d1b2d944389183993fbefe5de84ad1f2e25389a52f8c909a88cc2a68a84362d67196d20de61d3f969a |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | b0ac998af68de21e0ebc6e4d86d8683d |
| SHA1 | 55bb36f1f5f51b8466d8ef79d466181c3865c662 |
| SHA256 | 8f73703f481c378f9bdca3eb7750f09b40bd3de652d755fdf4bcffc0aa7b0aa6 |
| SHA512 | 8b3df9f9a28dbcee77af8a1404a564bd6c19afc9e812369253b1582967a6bc07ebcf854c012c5bc9d5618d0e5af1b03a788dfb86f846878cde8389a39c897f9d |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | c314d85625853d42476a0113626d8b83 |
| SHA1 | 0070dcf11d4833cb73ad996d46560188e4d06241 |
| SHA256 | 5780edbfc576e0d06a76df79aeb031185d1cceb7af4414fcbe96764d1e66f203 |
| SHA512 | 79ddd1a14a18b9a416ef6966292b693d9e32dc1d2904acc9626a301e4bd6b19feec8f21f8aa624a2cb03229d0d327b8d181d8235b2f47bd2cd76378e8da67abb |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | 155c2f212f7e94bd60cd7b14985bd080 |
| SHA1 | 787ca6d019146f30df2fa9a1b529a62fb37f4807 |
| SHA256 | 4d222d42aa0156778010ab527873e242ab681d6abb1d8b60ece6d905fa6c21a7 |
| SHA512 | 2830260954536499309a29acd8b31598e898fff5e2fae42fd97a978a7cea99cfde90406588f254e89e73b0dde76fcab61bc9341294e6eadce11d8f5e2b1e0f2b |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | 48e94ff84c8da4236e2f86cfd8f2efd3 |
| SHA1 | 8b2fb50c24d8157f3352d3b3d64e107e057f7608 |
| SHA256 | cbf58cf004ced82d30a2b73b075f009a73fa17be01e25efd75eb31753c6508a6 |
| SHA512 | 594f99d3fc87cbf23d5b82fb922b80ae831bd76035a49e920be1cab9521d2c9e0e2b0e9961915ba6830ac63d4d9d5cac618af58cd09de234de5a3ae1e0127ab9 |
C:\LDPlayer\LDPlayer9\system.vmdk
| MD5 | ebbb9666932196d1411257f7a4211a9b |
| SHA1 | 1821a27507f51ccd9374b2e41d1d0b413a67ccc8 |
| SHA256 | 3fdf8d117152e75306202bba93c74a46077aa7ccf2fb63972e04a8e2425669c0 |
| SHA512 | d2079cff50ed2fd7a98a87e5f5f2f01d72f4f216ca39b8f4741e627a69d15c18a7c0a2b3f0947e086756263b8bdff8d4b6c2496e9e3576669c1ce78251cf84bc |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\DismHost.exe
| MD5 | 17275206102d1cf6f17346fd73300030 |
| SHA1 | bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166 |
| SHA256 | dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6 |
| SHA512 | ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\DismCorePS.dll
| MD5 | 7f751738de9ac0f2544b2722f3a19eb0 |
| SHA1 | 7187c57cd1bd378ef73ba9ad686a758b892c89dc |
| SHA256 | db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc |
| SHA512 | 0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\DismProv.dll
| MD5 | 2ac64cc617d144ae4f37677b5cdbb9b6 |
| SHA1 | 13fe83d7489d302de9ccefbf02c7737e7f9442f9 |
| SHA256 | 006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44 |
| SHA512 | acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\OSProvider.dll
| MD5 | e9833a54c1a1bfdab3e5189f3f740ff9 |
| SHA1 | ffb999c781161d9a694a841728995fda5b6da6d3 |
| SHA256 | ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85 |
| SHA512 | 0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\LogProvider.dll
| MD5 | c63f6b6d4498f2ec95de15645c48e086 |
| SHA1 | 29f71180feed44f023da9b119ba112f2e23e6a10 |
| SHA256 | 56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde |
| SHA512 | 3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc |
C:\Windows\Logs\DISM\dism.log
| MD5 | 6b4de4fde685667cd88f784ea8f38d1e |
| SHA1 | c720edca2480b22e1c1e6123005536dbdc5b9f9f |
| SHA256 | 2bafdfc267ee69f6882ec10053dca63e47fd071fdf24dbb8d04406a864de91f8 |
| SHA512 | a6c56201568ff157acd1a169da24e5bfa9c6ea78e6553e69e57218af79fe89730e1dbc2eefd40d5152170f770d90bc808df8604e64e48fa4844ff8463c47708c |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\TransmogProvider.dll
| MD5 | 13af6f4851ff9808c9080b8ab16a04cf |
| SHA1 | 0a28f940874710f8d4c54018cb571c73eee8f2db |
| SHA256 | 07687819303bbe4890781efecd6a9bfcb8120abe67d4de89ae28792ca7f81ae5 |
| SHA512 | 221164228a99343bce0b2d847a8c07e827c54b8ca29b00758feac1027449da4fc36cc18e45732ff54fb68499ee2214e1552d0f27e0afab815dd23252184eccc4 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\ImagingProvider.dll
| MD5 | 4c6d681704e3070df2a9d3f42d3a58a2 |
| SHA1 | a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81 |
| SHA256 | f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137 |
| SHA512 | daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\ServicingCommon.dll
| MD5 | 5ed6cba6475fc6a985612e85671b5a1b |
| SHA1 | 364e51bf10a025b18649f9535b63a790c72258c1 |
| SHA256 | 41546e9daf306784c1e9f373a950cda78907e02089f759924f27b5ab36776aab |
| SHA512 | 114338462b1a0e7398641f0e7702f02021e851e78ad4754aff864e5310b7b59008f1ecb16bafab2a8c56760d61897352658208d55c5415fbe48fd759b1de87bc |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\Ffuprovider.dll
| MD5 | 47e064043e1108d55f630bb0993f6442 |
| SHA1 | 4b3633d1361f0a6d573a2abcb67ad4e46f3cc37d |
| SHA256 | b9997686816808c66393e91dbb492f7fef34c1c91c241a0c817422bb44cd07c2 |
| SHA512 | ed5b6d4118dbae7eb210fae1a1eeae7a495492b320556207fadeba25845460d30f80793e3d55ca44d2863780c6fe416bc19b22a303b57fa454be8d2899e9f771 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\Vhdprovider.dll
| MD5 | 8a655555544b2915b5d8676cbf3d77ab |
| SHA1 | 5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2 |
| SHA256 | d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27 |
| SHA512 | c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\Wimprovider.dll
| MD5 | bcf8735528bb89555fc687b1ed358844 |
| SHA1 | 5ef5b24631d2f447c58b0973f61cb02118ae4adc |
| SHA256 | 78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c |
| SHA512 | 8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\ServicingCommon.dll
| MD5 | 6adea867294f98078cf8d58ea6b0e230 |
| SHA1 | 81013c7ba6d8d353b578a880a17d4edbf220b2a7 |
| SHA256 | 1749310ba60f43a5572805c5e476987274d226b396852493f7aa339688d8b644 |
| SHA512 | 0f9c877142bec068dbe59a3673d580e15a09d0071f37dc7244a7d235e8d38045dc730005a27bb93a66acf0b7c744d90050f72c313a653316341a81a651f24555 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\ProvProvider.dll
| MD5 | e4435a89b8a0205ee59ae8f4dc96fe2e |
| SHA1 | 97ea139de599430954280442527165c5d182d31c |
| SHA256 | a2845492632c25eaff53b6808307c5a6e370805e2824657492b05be9d292d5d8 |
| SHA512 | cd53251f06c69655e517e40a6cf6bc974642d407444710faac10d5bf5e703913b5e356038de20dd3f06edc001c1c0f237801d5fb02226dcaacbc73a0c1851059 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\ProvProvider.dll
| MD5 | 2ef388f7769205ca319630dd328dcef1 |
| SHA1 | 6dc9ed84e72af4d3e7793c07cfb244626470f3b6 |
| SHA256 | 4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf |
| SHA512 | b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\TransmogProvider.dll
| MD5 | c2c244b807cbd5279bbd8b4a1b8f460c |
| SHA1 | 5ec3a4e47d2746f4623190261f4b804667a65607 |
| SHA256 | 004633ec24cb0c79f2ae7bbab697bc819aa84c28d66b5ffc6b40eb3f682b2e95 |
| SHA512 | 149a783d5f2f8f0459101dd8a02b6efffdd4e63f570cffdbbcb50646f5637927d248a85acfdcccc7516a946efb513e9e9b3eee0ff0eda1d6c699b8a6ff78fcba |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\IntlProvider.dll
| MD5 | 34035aed2021763bec1a7112d53732f1 |
| SHA1 | 7132595f73755c3ae20a01b6863ac9518f7b75a4 |
| SHA256 | aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731 |
| SHA512 | ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\CbsProvider.dll
| MD5 | 8f971784892bfafd35a874dce1408900 |
| SHA1 | 8b278817448f00c4d575e84b42c52c7839ddf03c |
| SHA256 | ed423903f8033075df0932b196b1b9e1aa7be7eacc3b2a69cf3157de1a263166 |
| SHA512 | e66af15c8868347138c72a0f7eb9b72e7e919d11241aafc9ae68390b3ed2588bf852b29847ab68268645cbf9563cae0a71bf14e6c7d9e4101e255bafa0a2f7a2 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\CbsProvider.dll
| MD5 | da320b093b67820fbb76f48a74dc665c |
| SHA1 | 312cfc793f482c305ca1f389d56c271ac5eabf8d |
| SHA256 | 701e538376a5e24476c2cd0eeb40f36566362452080a399a7303dcba0f85877f |
| SHA512 | 295493cc8a82fb8251bc798dda985dd9cc1bded1a4cbe1ffee081d2fb5a816e4995746537a8eb5aeef7c042bb0b305212b863dc9a1d6dcc1cacac9e218c952de |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\GenericProvider.dll
| MD5 | 20fb116831396d9477e352d42097741c |
| SHA1 | 7e063ac9bc173a81dc56dc5864f912041e2c725a |
| SHA256 | 6a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4 |
| SHA512 | 851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\DmiProvider.dll
| MD5 | e54120aa50f14e0d3d257e77db46ece5 |
| SHA1 | 922203542962ec5f938dcb3c876f060ecf17f9dc |
| SHA256 | b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54 |
| SHA512 | fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\MsiProvider.dll
| MD5 | eb171b7a41a7dd48940f7521da61feb0 |
| SHA1 | 9f2a5ddac7b78615f5a7af753d835aaa41e788fc |
| SHA256 | 56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55 |
| SHA512 | 5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\SmiProvider.dll
| MD5 | 46e3e59dbf300ae56292dea398197837 |
| SHA1 | 78636b25fdb32c8fcdf5fe73cac611213f13a8be |
| SHA256 | 5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339 |
| SHA512 | e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\IBSProvider.dll
| MD5 | f6b7301c18f651567a5f816c2eb7384d |
| SHA1 | 40cd6efc28aa7efe86b265af208b0e49bec09ae4 |
| SHA256 | 8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61 |
| SHA512 | 4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\AssocProvider.dll
| MD5 | 702f9c8fb68fd19514c106e749ec357d |
| SHA1 | 7c141106e4ae8f3a0e5f75d8277ec830fc79eccc |
| SHA256 | 21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358 |
| SHA512 | 2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\SysprepProvider.dll
| MD5 | 4dfa1eeec0822bfcfb95e4fa8ec6c143 |
| SHA1 | 54251e697e289020a72e1fd412e34713f2e292cf |
| SHA256 | 901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494 |
| SHA512 | 5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4 |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\UnattendProvider.dll
| MD5 | 7c61284580a6bc4a4c9c92a39bd9ea08 |
| SHA1 | 4579294e3f3b6c03b03b15c249b9cac66e730d2a |
| SHA256 | 3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8 |
| SHA512 | b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\OfflineSetupProvider.dll
| MD5 | 3437087e6819614a8d54c9bc59a23139 |
| SHA1 | ae84efe44b02bacdb9da876e18715100a18362be |
| SHA256 | 8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74 |
| SHA512 | 018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde |
C:\Users\Admin\AppData\Local\Temp\B99D1453-5FA5-4BD4-B4ED-2DA3FBAEE74A\EdgeProvider.dll
| MD5 | c22cc16103ee51ba59b765c6b449bddb |
| SHA1 | b0683f837e1e44c46c9a050e0a3753893ece24ad |
| SHA256 | eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b |
| SHA512 | 2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e |
C:\Windows\Logs\DISM\dism.log
| MD5 | 73ae63b3e88ab7d13a9dcf3b93403fdf |
| SHA1 | 0dbbde243e1f7fc0ad4227b1a440c446fec115e5 |
| SHA256 | 7af931c7cba7d7f3846b89e984a173e6eb7469e389cf5bdfa55502addd9445ab |
| SHA512 | c4ade0bacf52f1deeaf360a787e04428bd180e08ba270924279168463a8f7eb50d37e38ebf79d60b5b1b3f8c67fa8c0926ebe44a338f6abd0528d6bb0c1d4bef |
memory/3428-674-0x0000000071E50000-0x0000000072601000-memory.dmp
memory/3428-676-0x0000000002D30000-0x0000000002D66000-memory.dmp
memory/3428-675-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3428-677-0x0000000005990000-0x0000000005FBA000-memory.dmp
memory/3428-678-0x00000000056C0000-0x00000000056E2000-memory.dmp
memory/3428-679-0x0000000005FC0000-0x0000000006026000-memory.dmp
memory/3428-680-0x0000000006030000-0x0000000006096000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3sqtok0u.3ea.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3428-689-0x00000000060A0000-0x00000000063F7000-memory.dmp
memory/3428-690-0x0000000006530000-0x000000000654E000-memory.dmp
memory/3428-691-0x00000000065F0000-0x000000000663C000-memory.dmp
memory/3428-693-0x000000007F190000-0x000000007F1A0000-memory.dmp
memory/3428-692-0x00000000076E0000-0x0000000007714000-memory.dmp
memory/3428-694-0x000000006E880000-0x000000006E8CC000-memory.dmp
memory/3428-703-0x0000000006B10000-0x0000000006B2E000-memory.dmp
memory/3428-705-0x0000000007730000-0x00000000077D4000-memory.dmp
memory/3428-704-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3428-706-0x0000000007ED0000-0x000000000854A000-memory.dmp
memory/3428-707-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/3428-708-0x0000000007910000-0x000000000791A000-memory.dmp
memory/3428-709-0x0000000007B20000-0x0000000007BB6000-memory.dmp
memory/3428-710-0x0000000007AA0000-0x0000000007AB1000-memory.dmp
memory/3428-711-0x0000000007AE0000-0x0000000007AEE000-memory.dmp
memory/3428-712-0x0000000007BC0000-0x0000000007BDA000-memory.dmp
memory/3428-713-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3428-716-0x0000000071E50000-0x0000000072601000-memory.dmp
memory/128-718-0x0000000004A50000-0x0000000004A60000-memory.dmp
memory/128-717-0x0000000071E50000-0x0000000072601000-memory.dmp
memory/128-727-0x000000006E880000-0x000000006E8CC000-memory.dmp
memory/128-736-0x0000000004A50000-0x0000000004A60000-memory.dmp
memory/128-737-0x0000000004A50000-0x0000000004A60000-memory.dmp
memory/128-739-0x0000000071E50000-0x0000000072601000-memory.dmp
memory/4044-740-0x0000000071E50000-0x0000000072601000-memory.dmp
memory/4044-741-0x0000000004910000-0x0000000004920000-memory.dmp
memory/4044-750-0x00000000056D0000-0x0000000005A27000-memory.dmp
memory/4044-751-0x000000006E880000-0x000000006E8CC000-memory.dmp
memory/4044-752-0x000000007FBA0000-0x000000007FBB0000-memory.dmp
memory/4044-762-0x0000000004910000-0x0000000004920000-memory.dmp
memory/4044-761-0x0000000004910000-0x0000000004920000-memory.dmp
memory/4044-763-0x0000000004910000-0x0000000004920000-memory.dmp
memory/4044-765-0x0000000071E50000-0x0000000072601000-memory.dmp
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
| MD5 | 52c43baddd43be63fbfb398722f3b01d |
| SHA1 | be1b1064fdda4dde4b72ef523b8e02c050ccd820 |
| SHA256 | 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f |
| SHA512 | 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28 |
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
| MD5 | 4acd5f0e312730f1d8b8805f3699c184 |
| SHA1 | 67c957e102bf2b2a86c5708257bc32f91c006739 |
| SHA256 | 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5 |
| SHA512 | 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837 |
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf
| MD5 | fc49f26e340a1bd28dbc297ccfdbbba2 |
| SHA1 | 8001f7519bb4308d1681066c76f4e04aa9b3a536 |
| SHA256 | ba94fdb2cd467b4440d341b819c9d0a0f0e033ab4b49dc51b8bd4e9ba2e86acc |
| SHA512 | 0f1e537f34b0a63a6b08118943da9192d17a4914d6769d53eea9006ad69c4921efd6fda45ccd415f5ea1360e9f5278099567a314cb60a2500ce9d3e6fa1dde01 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
| MD5 | 0054560df6c69d2067689433172088ef |
| SHA1 | a30042b77ebd7c704be0e986349030bcdb82857d |
| SHA256 | 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750 |
| SHA512 | 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0 |
C:\LDPlayer\ldmutiplayer\msvcr120.dll
| MD5 | 330faf2e583bf701f4ec0b429f78c29a |
| SHA1 | 77d526f8303666c2d1948b2a017ba5fa09990479 |
| SHA256 | 638f248f3515eff63ae09e93076ba3e925cff2aa6fa2888291ea3e481d97d9dd |
| SHA512 | faa26eaeea0641b1c5c4d03769df4789dd28bbb8c80aebeed7940f443c91c27e5ad03a1085e00c7cfb6425fde8e53e7b5248bc550ed6139c552a1377559d4458 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
| MD5 | e38ad9575b0bc120f485456a7916cbb0 |
| SHA1 | df14e152e41650a803fb3df78e108c4560801ddc |
| SHA256 | c710f048a2810569ed540f984692274ee2e9be865e9e5335ca1a184ae129d3c8 |
| SHA512 | 9fdc1f86d2f970f8178bc148ba9023de54d1dc2b57083dcf0e7bbf0847ad71b60ce83f74d057335264a5ce715e036050750771650fb7b5245d18405bb8b50513 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
| MD5 | b159fafad3a7cb173f73266ed8072f1b |
| SHA1 | ed76b5c8d2946d17681850fe61c900e3cc0580a6 |
| SHA256 | 04394378b43b8de8b628eeb569014ab3d14d3930a7725f42967c6b7c4ac219ae |
| SHA512 | 1b7d0ec06437f19561f726a1328cef79669438f16cd15aeaa8ca55aab053327c36b666f5e3f5c22471257d35a3e6c68f2f4870488f0f4d99c3fcbcdf375c9465 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
| MD5 | 490437415064afaeceaa8196211df7cb |
| SHA1 | 497046f8e6c74c07909a8662f379571d2de5bffa |
| SHA256 | 645c243b9cdd2a015a44d636558919782a4ca15ae5d9cb2cc6370fd4fe1bc0d2 |
| SHA512 | 8c717ab07ff94b014c7566ee44e9a4370e806c127cf25a03f2277f2674d5f002f5aec94bd8f40348ed4524ab75df275f7a9ce634145f42843ea297bcec6a17c3 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
| MD5 | 2d40f6c6a4f88c8c2685ee25b53ec00d |
| SHA1 | faf96bac1e7665aa07029d8f94e1ac84014a863b |
| SHA256 | 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334 |
| SHA512 | 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
| MD5 | 1bb399f965af403174009b9e28358c40 |
| SHA1 | 1b409154e3def3f0f4c40c681daae5ab8c141156 |
| SHA256 | e15822a9ace09aa90b952ada3f12f8da7819a72f520ed08a44fbb914920228c2 |
| SHA512 | 25a4bcbfd19a80694a1712530a1ea30ea2c63b8cfc6c222ba058bdf37a1e46206c5c21067a5dffbbe100d9e40e19169da2d88970ab06d9f8d3e62935b9387e44 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc
| MD5 | 7d3c3ed813a0c0f294ff68f98c08ec32 |
| SHA1 | c0c9a0c1d50973f0c29f414c705d8fc57192b3d3 |
| SHA256 | 8ff5ed97ff1747ae6238ffbd6869acd0ba464680b455c7d429481d5851d2745c |
| SHA512 | cd78bbce3c53475b09f2a651b16e050a5f85eb8c2dcc3e5139f18a1bb0ed92bd90dee852cf59e1bd55cfd021b1e77615825fa2ddeaa4d20491ae9f2464a6a6c4 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
| MD5 | cb3d933f5587c39d2893fb7c5bd71d89 |
| SHA1 | 054f37011696ab0e3075737051bfb321415d06ac |
| SHA256 | 76b1f91b56dada0aecf2e9551f5332fe1edd71e85c220fab1ca3c7d004d854b5 |
| SHA512 | 78b47ed7e0df6aefe305d86e5f81690407c59189a04f0203532b1e7566eec693ee4fcc8a17dcd973a5d55e1dfdc336384decc91a0effd5c1d163d5fa1169615d |
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
| MD5 | ad9d7cbdb4b19fb65960d69126e3ff68 |
| SHA1 | dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d |
| SHA256 | a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326 |
| SHA512 | f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7 |
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
| MD5 | 05ed5d2ca6c74927aa743d95decc6210 |
| SHA1 | 311b129a3080920443a6ce44ceec1b46fdd7d276 |
| SHA256 | 28ca660c38896eafba539d1ebf71132d2d06368d2530da2ea588245e20add5ab |
| SHA512 | e7332ba615e5e206216bbba175ab193d36d0ba8df033658856e8c4f351ea729b5949d7b267db02b6cd5ea73cb9e6dc46b32b42dd94fbbc076f50f7d8c76d6460 |
C:\LDPlayer\LDPlayer9\dnplayer.exe
| MD5 | 3a8a793bfc49f8555e90c84cabd7064e |
| SHA1 | 46f49af0b628645b8e1d919481c1fa2dfea79b86 |
| SHA256 | 716898c37b037935cf512e08a4653b21d0f53fa6283d243597994a9c5617d4af |
| SHA512 | e4ac544fe09db48a1d3ac0b6bbca67060a1f2d22c186f1f334815240ddf56accd80c5e9c6156a4b75841b24c755b120c0dbeacaf23ea795c653af34f75bdd25e |
C:\LDPlayer\ldmutiplayer\libeay32.dll
| MD5 | c2876cdeb1327ad7bb7ce6a9f187bb8b |
| SHA1 | 7a6ef0eceb0d085c771a6c87c96be64227b9ceda |
| SHA256 | 8b7b9cef5a11928527697f3a3670aa5f1f971b2b96d1f0a20453675004a6d2b3 |
| SHA512 | b58ca099cfa335dbb08faf888fc0526f5144b03dfe8e30d045101b19d0673e5a2fbfd3c31f83e750864b68b92ffc5183e84c5819144c3049499e9dd7954b9fef |