Malware Analysis Report

2024-09-11 05:43

Sample ID 240608-dzhjqshb94
Target LDPlayer9_tw_35034_ld.exe
SHA256 9320bcfefd886f7b5ca62abf74c4bcfea496124408791d9c670ae4808a8a3c4b
Tags
discovery execution exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9320bcfefd886f7b5ca62abf74c4bcfea496124408791d9c670ae4808a8a3c4b

Threat Level: Likely malicious

The file LDPlayer9_tw_35034_ld.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution exploit persistence

Possible privilege escalation attempt

Manipulates Digital Signatures

Creates new service(s)

Modifies file permissions

Downloads MZ/PE file

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
System Services
T1569
Service Execution
T1569.002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Subvert Trust Controls
T1553
SIP and Trust Provider Hijacking
T1553.003
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-08 03:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 03:26

Reported

2024-06-08 03:31

Platform

win10-20240404-en

Max time kernel

162s

Max time network

256s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe"

Signatures

Creates new service(s)

persistence execution

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Encode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\FuncName = "WVTAsn1SpcFinancialCriteriaInfoDecode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "WVTAsn1CatNameValueDecode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "WintrustCertificateTrust" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Downloads MZ/PE file

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ldplayer9box\tstPDMAsyncCompletion.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxDD2.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\msvcp140.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-interlocked-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\capi.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-process-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-process-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\Ld9BoxSup.cat C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\regsvr32_x86.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-handle-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\ossltest.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxDDU.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxTestOGL.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\Ld9BoxSVC.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-stdio-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxExtPackHelperApp.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxStub.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VirtualBoxVM.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.inf C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\NetAdpInstall.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxC.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxSDL.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\GLES_V2.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\bldRTIsoMaker.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\NetFltUninstall.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-heap-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\dasync.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxNetNAT.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\UICommon.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\Qt5Widgets.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-runtime-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxVMMPreload.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-conio-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\msvcr120.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\ucrtbase.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\USBTest.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\msvcp140.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\Ld9BoxNetLwf.sys C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\NetLwfUninstall.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxAuthSimple.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\SysWOW64\dism.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\"" C:\Windows\SYSTEM32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ = "IAdditionsStateChangedEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ = "INATNetworkAlterEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA}\ = "IProcess" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-808E-11E9-B773-133D9330F849}\ProxyStubClsid32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}\ = "IDHCPGlobalConfig" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ = "INATNetworkCreationDeletionEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CLSID\ = "{20191216-47b9-4a1e-82b2-07ccd5323c3f}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\ = "INetworkAdapter" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\NumMethods\ = "15" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7966-481D-AB0B-D0ED73E28135} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\NumMethods\ = "16" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\ = "IMachineStateChangedEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\NumMethods\ = "24" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\ProgId\ = "VirtualBox.VirtualBox.1" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9641-4397-854A-040439D0114B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\NumMethods\ = "16" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\NumMethods\ = "51" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\ProgId\ = "VirtualBox.Session.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\NumMethods\ = "55" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A06-81FC-A916-78B2DA1FA0E5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4521-44CC-DF95-186E4D057C83} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7E72-4F34-B8F6-682785620C57}\ = "IExtPackFile" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}\ = "IEventSourceChangedEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\ = "IGuestDnDSource" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\ProxyStubClsid32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4BA3-7903-2AA4-43988BA11554} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E64A-4908-804E-371CAD23A756}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0547-448E-BC7C-94E9E173BF57}\ = "IHostUpdate" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\NumMethods\ = "19" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\NumMethods C:\Windows\SYSTEM32\regsvr32.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 2232 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 2232 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 4116 wrote to memory of 1500 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 4116 wrote to memory of 1500 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 4116 wrote to memory of 1500 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 1500 wrote to memory of 816 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 1500 wrote to memory of 816 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 1500 wrote to memory of 816 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 816 wrote to memory of 3540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 816 wrote to memory of 3540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 816 wrote to memory of 3540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1500 wrote to memory of 920 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 920 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 920 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 3164 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 3164 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 3164 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 224 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 224 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 224 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 220 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 220 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 220 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 236 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 236 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 236 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 96 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 1500 wrote to memory of 96 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 1500 wrote to memory of 96 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 1500 wrote to memory of 1428 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 1428 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 1428 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 208 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\takeown.exe
PID 1500 wrote to memory of 208 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\takeown.exe
PID 1500 wrote to memory of 208 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\takeown.exe
PID 1500 wrote to memory of 5060 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 5060 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 5060 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 2892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\System32\Conhost.exe
PID 1500 wrote to memory of 2892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\System32\Conhost.exe
PID 1500 wrote to memory of 2892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\System32\Conhost.exe
PID 1500 wrote to memory of 512 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 512 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 512 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 4572 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\dism.exe
PID 1500 wrote to memory of 4572 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\dism.exe
PID 1500 wrote to memory of 4572 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\dism.exe
PID 1500 wrote to memory of 1404 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\sc.exe
PID 1500 wrote to memory of 1404 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\sc.exe
PID 1500 wrote to memory of 1404 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\sc.exe
PID 1500 wrote to memory of 3036 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1500 wrote to memory of 3036 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1500 wrote to memory of 3036 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1500 wrote to memory of 2804 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\sc.exe
PID 1500 wrote to memory of 2804 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\sc.exe
PID 1500 wrote to memory of 2804 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\sc.exe
PID 1500 wrote to memory of 4536 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
PID 1500 wrote to memory of 4536 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
PID 1500 wrote to memory of 4960 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 1500 wrote to memory of 4960 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 1500 wrote to memory of 3992 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 3992 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1500 wrote to memory of 3992 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe"

C:\LDPlayer\LDPlayer9\LDPlayer.exe

"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=35034 -language=tw -path="C:\LDPlayer\LDPlayer9\"

C:\LDPlayer\LDPlayer9\dnrepairer.exe

"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=131454

C:\Windows\SysWOW64\net.exe

"net" start cryptsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start cryptsvc

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Softpub.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Wintrust.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" dssenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" rsaenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" cryptdlg.dll /s

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t

C:\Windows\SysWOW64\dism.exe

C:\Windows\system32\dism.exe /Online /English /Get-Features

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s

C:\Windows\SYSTEM32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" start Ld9BoxSup

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow

C:\LDPlayer\LDPlayer9\driverconfig.exe

"C:\LDPlayer\LDPlayer9\driverconfig.exe"

C:\Windows\SysWOW64\takeown.exe

"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t

C:\LDPlayer\LDPlayer9\dnconsole.exe

"C:\LDPlayer\LDPlayer9\\dnconsole.exe" installapk --index 0 --filename "C:\LDPlayer\LDPlayer9\\星隕計畫.apk" --wait --hide

C:\LDPlayer\LDPlayer9\dnplayer.exe

"C:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|apk=C:\LDPlayer\LDPlayer9\\星隕計畫.apk|wait=dn_console_5004_1|show=0

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x37c

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\ldplayer9box\vbox-img.exe

"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe

"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config

C:\LDPlayer\LDPlayer9\dnplayer.exe

"C:\LDPlayer\LDPlayer9\dnplayer.exe" package=com.nerversoft.ark.recode

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 encdn.ldmnq.com udp
DE 18.245.46.20:443 encdn.ldmnq.com tcp
US 8.8.8.8:53 20.46.245.18.in-addr.arpa udp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
DE 18.245.46.20:443 encdn.ldmnq.com tcp
US 8.8.8.8:53 10.2.138.108.in-addr.arpa udp
US 8.8.8.8:53 64.39.245.18.in-addr.arpa udp
US 8.8.8.8:53 cdn.ldplayer.net udp
US 3.161.82.19:443 cdn.ldplayer.net tcp
US 8.8.8.8:53 19.82.161.3.in-addr.arpa udp
US 8.8.8.8:53 udp
SG 8.219.4.49:443 tcp
US 8.8.8.8:53 49.4.219.8.in-addr.arpa udp
US 8.8.8.8:53 udp
US 199.232.210.172:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
JP 13.78.111.199:443 tcp
US 8.8.8.8:53 udp
SE 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
FR 142.250.75.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 middledata.ldplayer.net udp
SG 8.219.4.49:443 middledata.ldplayer.net tcp
SG 8.219.4.49:443 middledata.ldplayer.net tcp
DE 18.245.46.20:80 encdn.ldmnq.com tcp
US 8.8.8.8:53 en.ldplayer.net udp
US 8.8.8.8:53 cdn.ldplayer.net udp
SG 8.219.4.49:443 middledata.ldplayer.net tcp
US 163.181.154.238:443 en.ldplayer.net tcp
US 3.161.82.19:443 cdn.ldplayer.net tcp
US 3.161.82.19:443 cdn.ldplayer.net tcp
US 3.161.82.19:443 cdn.ldplayer.net tcp
US 3.161.82.19:443 cdn.ldplayer.net tcp
US 3.161.82.19:443 cdn.ldplayer.net tcp
US 8.8.8.8:53 apitw.ldmnq.com udp
US 13.225.78.38:80 apitw.ldmnq.com tcp
US 13.225.78.38:443 apitw.ldmnq.com tcp
US 8.8.8.8:53 38.78.225.13.in-addr.arpa udp
US 13.225.78.38:443 apitw.ldmnq.com tcp
US 8.8.8.8:53 www.ldplayer.tw udp
US 163.181.154.235:443 www.ldplayer.tw tcp
US 163.181.154.235:443 www.ldplayer.tw tcp
US 8.8.8.8:53 235.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 cmp.setupcmp.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 3.161.82.19:443 cdn.ldplayer.net tcp
US 3.161.82.19:443 cdn.ldplayer.net tcp
US 172.67.70.36:443 cmp.setupcmp.com tcp
US 172.67.70.36:443 cmp.setupcmp.com tcp
FR 142.250.179.78:443 fundingchoicesmessages.google.com tcp
FR 142.250.179.78:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 encdn.ldmnq.com udp
US 8.8.8.8:53 stpd.cloud udp
NO 54.240.174.41:443 encdn.ldmnq.com tcp
NO 54.240.174.41:443 encdn.ldmnq.com tcp
NO 54.240.174.41:443 encdn.ldmnq.com tcp
NO 54.240.174.41:443 encdn.ldmnq.com tcp
US 104.18.31.49:443 stpd.cloud tcp
NO 54.240.174.41:443 encdn.ldmnq.com tcp
NO 54.240.174.41:443 encdn.ldmnq.com tcp
US 104.18.31.49:443 stpd.cloud tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 ldcdn.ldmnq.com udp
US 163.181.154.231:443 ldcdn.ldmnq.com tcp
US 163.181.154.231:443 ldcdn.ldmnq.com tcp
US 8.8.8.8:53 www.googletagservices.com udp
US 8.8.8.8:53 36.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 163.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 173.2.138.108.in-addr.arpa udp
US 8.8.8.8:53 49.31.18.104.in-addr.arpa udp
US 8.8.8.8:53 41.174.240.54.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 231.154.181.163.in-addr.arpa udp
FR 142.250.201.162:443 www.googletagservices.com tcp
FR 142.250.201.162:443 www.googletagservices.com tcp
US 8.8.8.8:53 xinchacha2dv.ocsp-certum.com udp
NL 23.62.61.137:80 xinchacha2dv.ocsp-certum.com tcp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
FR 142.250.201.162:443 securepubads.g.doubleclick.net tcp
FR 142.250.201.162:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 csi.gstatic.com udp
US 142.251.111.120:443 csi.gstatic.com tcp
US 142.251.111.120:443 csi.gstatic.com tcp
US 8.8.8.8:53 120.111.251.142.in-addr.arpa udp
US 163.181.154.235:443 ldcdn.ldmnq.com tcp
US 163.181.154.235:443 ldcdn.ldmnq.com tcp
FR 142.250.179.78:443 fundingchoicesmessages.google.com tcp
FR 142.250.179.78:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 www.youtube.com udp
FR 142.250.178.142:443 www.youtube.com tcp
FR 142.250.178.142:443 www.youtube.com tcp
US 8.8.8.8:53 encdn.ldmnq.com udp
US 8.8.8.8:53 142.178.250.142.in-addr.arpa udp
DE 18.245.46.60:443 encdn.ldmnq.com tcp
DE 18.245.46.60:443 encdn.ldmnq.com tcp
DE 18.245.46.60:443 encdn.ldmnq.com tcp
DE 18.245.46.60:443 encdn.ldmnq.com tcp
DE 18.245.46.60:443 encdn.ldmnq.com tcp
DE 18.245.46.60:443 encdn.ldmnq.com tcp
US 104.18.31.49:443 stpd.cloud tcp
US 104.18.31.49:443 stpd.cloud tcp
FR 142.250.201.162:443 securepubads.g.doubleclick.net tcp
FR 142.250.201.162:443 securepubads.g.doubleclick.net tcp
FR 216.58.214.166:443 tcp
FR 216.58.214.166:443 tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 142.250.74.234:443 jnn-pa.googleapis.com tcp
FR 142.250.74.234:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 60.46.245.18.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 166.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
FR 216.58.215.36:443 www.google.com tcp
FR 216.58.215.36:443 www.google.com tcp
FR 142.250.178.150:443 i.ytimg.com tcp
FR 142.250.178.150:443 i.ytimg.com tcp
US 8.8.8.8:53 yt3.ggpht.com udp
FR 172.217.20.193:443 yt3.ggpht.com tcp
FR 172.217.20.193:443 yt3.ggpht.com tcp
US 8.8.8.8:53 234.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 150.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 193.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp

Files

C:\LDPlayer\LDPlayer9\dnrepairer.exe

MD5 8864f892ab18f79bb747f5fa9671ba44
SHA1 051ad4d25f3b84b5e3c321d219058fb903fe03a1
SHA256 b19e5ec536c145e382d60cbf66ba641bef455bd45e8436b7561900fe0caa22ed
SHA512 b0aae6463856a8edd55ad36791dc93a81774e24cdf6ab779cfb4c129437a129917c8bfd7fb710ad2d7ebc73644c17793c12d85bf80add8392377880e0da8e5f1

C:\LDPlayer\LDPlayer9\dnresource.rcc

MD5 11875ecd4c26a28e79f74970efdf3f3b
SHA1 777990df4602aba2d699f65f27f83c5c3225b43e
SHA256 d4583db3e2c336bf2d7177777a587add214868c8626c11a75914cb8af14ddaa3
SHA512 edf3d4794b7e3f11828bb97db249a6546b528e4b6102833cd7e67fe500f1f0141855806dc9503d73782ceae5f5494d5489b2dac735b84d9ca9bc2fa43b2dd4fd

\LDPlayer\LDPlayer9\crashreport.dll

MD5 7d2b7e50bf352bcacd36ace10744bb75
SHA1 8e30304a46431422f8f980141f674416e554fc8f
SHA256 14bff3e96d291118952ed06f7f475f882b2c1ecc1eac9823c508c63c02fc9da0
SHA512 deb21e0633c48959ff20e7ab1884230e00f1b97d1e156a41b967521221f2e29412be040ddff649db9e03a5977654df744f1bb974091a7e5cabb2c859bfc869fb

\LDPlayer\LDPlayer9\msvcp120.dll

MD5 50260b0f19aaa7e37c4082fecef8ff41
SHA1 ce672489b29baa7119881497ed5044b21ad8fe30
SHA256 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA512 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

\LDPlayer\LDPlayer9\msvcr120.dll

MD5 50097ec217ce0ebb9b4caa09cd2cd73a
SHA1 8cd3018c4170072464fbcd7cba563df1fc2b884c
SHA256 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512 ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

C:\LDPlayer\LDPlayer9\system.vmdk

MD5 96afddba4374afe1aa3ebe05718d5cea
SHA1 52e0c2074d09c66ef0d00d2a08c5a848e271d7bf
SHA256 aa05e50afc37e7e55ad5494e125b83a64e981f6aea9131b89884eba19b81bc6f
SHA512 5e1ddb71265cf13fbc85d912e56ae1ef64d10c5a824d6e82bcd84934c93adab62f4da0973646b4e7e6cfaaea7de5bcdb7794178492ad5b43fb9391796641d4c5

C:\Windows\Logs\DISM\dism.log

MD5 e1e2aafac137c58fad4274f4f7b561cc
SHA1 37e2e5d8b31c01831598876cae22c1d6b8a4381f
SHA256 7eb6445bebc98cc0850ebe491d02727e1219908c616a463d156504bac12f2841
SHA512 6693b0c72ac3be2d0d2f94d710895f4d5dd7861bcafdec1b1ae57abf6c1b301c51993d59b88677f88bb5cf1cf1fa0770c65c80cbed1877c33c58020f675b0099

C:\LDPlayer\LDPlayer9\system.vmdk

MD5 ba73ae3bdd71e2e47c3605cbbe1c7d18
SHA1 459121a85c2a2de8e9813f30f3100363b961ffc8
SHA256 27dd99299584d3bf98712821733f8052b755120356c06f27f3255ed29318d92c
SHA512 3dea7075e3e72fa835e0575a23a40185af6c1d6be3560d5b5258dd42aa54bde328c0bd032ec9231b9b9f01ff316b01579b1554032ff9827f163ef04e92514131

C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

MD5 38809b2197fb7f2a7a915717dce6b64f
SHA1 672b5be65c64be31709bc1fa82219ee78ca1b2ee
SHA256 9f642052fbc75c4a7a128efc0c8832d5fdc14ad1d73c27292a4be763a46b2526
SHA512 3a01fac99ac3ed988f36338a31407655c96f6b411e7e33491c33cee264e4084eac10a3d248e0328119d8d265fbd0c704447ef42571b43d629d5f8cb41f4e9990

C:\LDPlayer\LDPlayer9\MSVCR120.dll

MD5 216941ce2a05a004170575391ac9d915
SHA1 6f5d32f9e4df22358f20e8f21f3b4373b41f0628
SHA256 5eeb8d89a38647972e381f4e77e2c7d8d30b1c2d5387f707f2d1d82736ce0ae3
SHA512 2595fb5475f3ab631b435d8165b9815910086c1bda5d863f174b9cb4ad155cf8b61e142dc49f87d72992153069d5c2414007483bd8998a0b18fc67582a770847

C:\LDPlayer\LDPlayer9\dnrepairer.exe

MD5 131fa59cb2180d3502af50553f7eed2a
SHA1 de43666eec6497883450a85c1b7cea519e893b34
SHA256 ed4e3d2e25df76cc6924f96a2aaa11fc97573b48327138ecb624491f480a292b
SHA512 6a6f578e069461c347e3ab257468ba605e4df4a59eb7713fc248685b5b05f04eadb997a4e10342dfb047ef9898b695fadf5fefae4a202e2760f9eadad755a349

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 b8bce84b33ae9f56369b3791f16a6c47
SHA1 50f14d1fe9cb653f2ed48cbb52f447bdd7ec5df4
SHA256 0af28c5c0bb1c346a22547e17a80cb17f692bf8d1e41052684fa38c3bbcbb8c8
SHA512 326092bae01d94ba05ecec0ea8a7ba03a8a83c5caf12bef88f54d075915844e298dba27012a1543047b73b6a2ae2b08478711c8b3dcc0a7f0c9ffabba5b193cf

C:\LDPlayer\LDPlayer9\vbox64\ldutils.dll

MD5 9583d4bbe599c18af396ced39cbdc801
SHA1 0771aed3b21d658eaca219dc4aee1b16cbe3aec0
SHA256 f60b7cd38d01003e81488560b37e90ee893e21d427f3eae1ea8d081ab5e738df
SHA512 61c1978cebbfd5f382ac3b42bec013bff5d1be40776819fa95859cf15753d1872e5849ea5ec0fd17b9037dd91bcb61d378bda765ef7603e115a0aad27baed887

memory/4464-529-0x00000000045D0000-0x0000000004606000-memory.dmp

memory/4464-530-0x0000000007160000-0x0000000007788000-memory.dmp

memory/4464-533-0x0000000007890000-0x00000000078F6000-memory.dmp

memory/4464-534-0x00000000079E0000-0x0000000007D30000-memory.dmp

memory/4464-532-0x0000000007900000-0x0000000007966000-memory.dmp

memory/4464-535-0x0000000007140000-0x000000000715C000-memory.dmp

memory/4464-536-0x0000000007E50000-0x0000000007E9B000-memory.dmp

memory/4464-531-0x0000000007110000-0x0000000007132000-memory.dmp

memory/4464-537-0x0000000008090000-0x0000000008106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3v4all4m.pmd.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\LDPlayer\LDPlayer9\vbox64\host_manager.dll

MD5 99dadf18ad39a01bf713bd71616a7227
SHA1 0da0fcad3356a616ce85467beb74893c2402a6d6
SHA256 b3e84773053b4eb85943b2c921458bf395ef4585a1901f553feaeb04ab488243
SHA512 0f635006b4758fde1bb215f15578701074feb7cc30da46d88ca6ebc6c57d4fe0de14ff51406df6dcdd3b7a200bd1fc0110b45cd92056226b7a2d5a9b0c6dcd10

C:\LDPlayer\LDPlayer9\vbox64\GLES_V2_utils.dll

MD5 4e2e943988c68cc09986d024f04f309c
SHA1 7d65b418637dbfb1e1a9a46dcf09e1ce236a8983
SHA256 0a5217f5d9949dbf163dfb6e5db14ca052587e24b8406faba911df31ca02db03
SHA512 db6c4be456b6ca32b2d5838cfd82029b4b995b81a06197002c55da355031a9b8ddbde70278abbcd6b6d79b072a90490ced37903f3fc172b91d9a91775583e16c

C:\LDPlayer\LDPlayer9\vbox64\GLES_V2.dll

MD5 4bd8566bc8982cb9a38908d91560c26d
SHA1 b1ae50010801241f7fa6d555deb3e60f4e0c8859
SHA256 008cc228d054ba049687adbe819942515cffd461eac78b07adb9d571dcadf2fa
SHA512 64962738f0287ec536170e65441621c629ebbaa69da8fc55c35d53373f533878fc27808382022fc754a779bc7f8b4d17311a1af24142fd92646dbc386f03609e

C:\LDPlayer\LDPlayer9\vbox64\GLES_CM.dll

MD5 85e67dd853d52a541039a346b6347c99
SHA1 842c9f0ef2ed7b88d4f9fbe40a1954a26fd06410
SHA256 647c746e67f43e51e5dc048e1f75d44e9de9a5a0b31568bac4d3a50275fdc0e8
SHA512 ffc1e228aa825a3a4b3c1e23f02cde8229032ae53dc07197c7a8d64eabbad1163ba719bc5ae93c4cd6efaafc4e352acc1c3ad94cfa80d2e329fd992e5f5f6b00

C:\LDPlayer\LDPlayer9\vbox64\GLES12Translator.dll

MD5 4c1212052e7120caea026713579d107b
SHA1 ca4fdd7cdd92eeecc696f78984cd11c9a1ed9110
SHA256 e6a5c669e81dddfba8e121372757c39eaf160a6ad2a20d1d2b06d281c7df6dc6
SHA512 780e7ea989ecdd0283f26aee76b5781de0b3a2fe7f54e80d134694537ae589eb5a50f27613f464fdc378aaa7302b7bc102d6976b04852a7cda5e4338d9e3388d

C:\LDPlayer\LDPlayer9\vbox64\fastpipe.dll

MD5 9fdb6dba15233c64132e27561230daa6
SHA1 0d65ed9eb876cf72eb54d0b298baad9e2bf2a246
SHA256 f51c9f4a5cf104a28fff8ede547a9536eccbecbf18996f05ed2d66370f05cf8d
SHA512 7a03465d02322730e14930535f105d970d71d86e9e9fc39d1d520eb3b2329f98418161170523202cce9b9465e3c25993cb03485d4e6b50c109e5e1faa3a4e343

C:\LDPlayer\LDPlayer9\vbox64\EGL.dll

MD5 0c5947280fc75b3eb5ee11d075bf2382
SHA1 5662899df031e0f24da8d0df065fccab3b87b7a7
SHA256 2208607f55744a22c31453e81bd060713560e7faf3e49ac802a2375ceedfd3f2
SHA512 21d61c3a49c31243ce36e503d2d3107b58082a61b80ab305d1e1493af4ee3030fd43ac89a50a0ea6e9ccfc3bcdfca6ed2010ef76bb8d3ffa21a8940efea1301f

C:\LDPlayer\LDPlayer9\vbox64\crashreport.dll

MD5 f274c9aead1a1d1b022404a5412d5ee1
SHA1 4a297ee3d1402ee66a6b22f87181a32d86fff08b
SHA256 1d5186e0fe02d283229fa8ef1deb58f61c0604c9c6a0001da08b70fccd332b3a
SHA512 1d060c7362749a28575605e72188c42f0cf7180cd96ea77fcf8b0934187abf4ffd3b6f97fa83ea033510cf941b175d6564be7a65e66cd819e1e24e165a5d6dc3

memory/4464-561-0x00000000092E0000-0x0000000009385000-memory.dmp

memory/4464-556-0x0000000008F80000-0x0000000008F9E000-memory.dmp

memory/4464-562-0x00000000094C0000-0x0000000009554000-memory.dmp

memory/4464-555-0x000000006DBD0000-0x000000006DC1B000-memory.dmp

memory/4464-554-0x0000000008FA0000-0x0000000008FD3000-memory.dmp

C:\LDPlayer\LDPlayer9\vbox64\concrt140.dll

MD5 65f2e5a61f39996c4df8ae70723ab1f7
SHA1 7b32055335b37d734b1ab518dcae874352cd6d5c
SHA256 8032b43bdd2f18ce7eb131e7cd542967081bea9490df08681bf805ce4f4d3aab
SHA512 0b44153ac0c49170008fb905a73b0ab3c167a75dc2f7330aed503f3c0aedfd5164a92d6f759959a11eceb69e2918cb97c571a82715ad41f6b96888d59973f822

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-utility-l1-1-0.dll

MD5 cb4a19b88bec5a8806b419cf7c828018
SHA1 2bc264e0eccb1a9d821bca82b5a5c58dc2464c5d
SHA256 97e4c91103c186517fa248772b9204acf08fde05557a19efe28d11fb0932b1f7
SHA512 381edd45ecd5d2bdefd1e3ad0c8465a32620dfa9b97717cadb6a584c9528fed0d599d5a4889962f04908ca4e2b7b4497f0e69d8481ee5f34ea5d9106d99760c3

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-time-l1-1-0.dll

MD5 a992f1e06c3c32ffe9799d4750af070a
SHA1 97ffd536d048720010133c3d79b6deed7fc82e58
SHA256 b401edaac4b41da73356de9b3358dc21f8b998a63413c868510dc734b1e4022f
SHA512 50bd08680fccff190454e6555e65e2787bdc0e8a9bf711e364eb0b065951c2430559e049202b8f330ac65e9d4cd588349c524a71f700e179859d7829d8e840b8

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-string-l1-1-0.dll

MD5 d3d72d7f4c048d46d81a34e4186600b4
SHA1 cdcad0a3df99f9aee0f49c549758ee386a3d915f
SHA256 fd8a73640a158857dd76173c5d97ceeba190e3c3eabf39446936b24032b54116
SHA512 6bf9d2fdc5c2d8cd08bf543ef7a0cdcb69d7658a12bee5601eeb9381b11d78d3c42ef9dd7e132e37d1ec34cc3dc66df0f50aefadfdc927904b520fdc2f994f18

memory/4464-639-0x0000000009470000-0x000000000947E000-memory.dmp

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-stdio-l1-1-0.dll

MD5 c99c9eea4f83a985daf48eed9f79531b
SHA1 56486407c84beecadb88858d69300035e693d9a6
SHA256 7c416d52a7e8d6113ff85bf833cae3e11c45d1c2215b061a5bbd47432b2244a5
SHA512 78b8fd1faada381b7c4b7b6721454a19969011c1d1105fc02ba8246b477440b83dc16f0e0ce0b953a946da9d1971b65315ac29dbb6df237a11becb3d981b16b9

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-runtime-l1-1-0.dll

MD5 a3f630a32d715214d6c46f7c87761213
SHA1 1078c77010065c933a7394d10da93bfb81be2a95
SHA256 d16db68b4020287bb6ce701b71312a9d887874c0d26b9ebd82c3c9b965029562
SHA512 920bb08310eadd7832011ac80edd3e12ce68e54e510949dbbde90adaac497debe050e2b73b9b22d9dc105386c45d558c3f9e37e1c51ed4700dd82b00e80410bc

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-process-l1-1-0.dll

MD5 7ddd5548e3c4de83d036b59dbf55867a
SHA1 e56b4d9cfca18fb29172e71546dc6ef0383ac4e9
SHA256 75f7b0937a1433ea7e7fa2904b02fd46296b31da822575c0a6bc2038805971ef
SHA512 9fb30ef628741cebbc0f80d07824e80c9c73e0e1341866f4e45dc362fea211d622aa1cffc9199be458609483f166f6c34c68b585efe196d370c100f9c7315e0d

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll

MD5 2c8e5e31e996e2c0664f4a945cece991
SHA1 8522c378bdd189ce03a89199dd73ed0834b2fa95
SHA256 1c556505a926fd5f713004e88d7f8d68177d7d40a406f6ed04af7bacd2264979
SHA512 14b92e32fb0fd9c50aa311f02763cba50692149283d625a78b0549b811d221331cf1b1f46d42869500622d128c627188691d7de04c500f501acd720cea7c8050

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-private-l1-1-0.dll

MD5 18bdfd4b9e28f7eba7cbb354e9c12fcb
SHA1 26222efacb3fce1995253002c3ce294c7045cf97
SHA256 3105da41b02009383826ed70857de1a8961daeb942e9068d0357cddd939fa154
SHA512 7d27eeff41b1e30579c2a813eea8385d8a9569bc1ece5310b0a3f375fba1894028c5cec2cf204e153a50411c5dcf1992e8ac38f1c068c8f8af9bd4897c379c04

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 4394dafed734dfe937cf6edbbb4b2f75
SHA1 06ec8f1f8dd1eab75175a359a7a5a7ee08d7a57a
SHA256 35b247534f9a19755a281e6dc3490f8197dd515f518c6550208b862c43297345
SHA512 33d9c5041e0f5b0913dd8826ceb080e2284f78164effde1dbf2c14c1234d6b9f33af6ae9f6e28527092ad8c2dbc13bddfc73a5b8c738a725ad0c6bb0aa7fcfaf

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-math-l1-1-0.dll

MD5 77c5cc86b89eed37610b80f24e88dcc2
SHA1 d2142ecce3432b545fedc8005cc1bf08065c3119
SHA256 3e8828ab7327f26da0687f683944ffc551440a3de1004cc512f04a2f498520f6
SHA512 81de6533bba83f01fed3f7beed1d329b05772b7a13ffe395414299c62e3e6d43173762cb0b326ea7ecf0e61125901fcee7047e7a7895b750de3d714c3fe0cc67

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll

MD5 fbfcf220f1bf1051e82a40f349d4beae
SHA1 43154ea6705ab1c34207b66a0a544ac211c1f37d
SHA256 9b9a43b9a32a3d3c3de72b2acca41e051b1e604b45be84985b6a62fb03355e6d
SHA512 e9ab17ceb5449e8303027a08afdbdd118cb59eaea0d5173819d66d3ee01f0cd370d7230a7d609a226b186b151fe2b13e811339fa21f3ec45f843075cedc2a5c0

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 bef17bf1ba00150163a2e1699ff5840a
SHA1 89145a894b17427f4cb2b4e7e814c92457fd2a75
SHA256 48c71b2d0af6807f387d97ab22a3ba77b85bdf457f8a4f03ce79d13fbb891328
SHA512 489d1b4d405edbb5f46b087a3ebf57a344bf65478b3cd5fcf273736ea6fdd33e54b1806fbb751849e160370df8354f39fc7ca7896a05b4660ad577a9e0e683e4

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll

MD5 c7c4a49c6ee6b1272ade4f06db2fa880
SHA1 b4b5490a51829653cb2e9e3f6fbe9caf3ba5561e
SHA256 37f731e7b1538467288bf1d0e586405b20808d4bad05e47225673661bc8b4a9f
SHA512 62ccdfac19ef4e3d378122146e8b2cba0e1db2cc050b49522bedbf763127cc2103a56c5a266e161a51d5be6bd9a47222ee8bb344b383f13d0aac0baa41eab0ff

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll

MD5 ebac9545734cc1bec37c1c32ffaff7d8
SHA1 2b716ce57f0af28d1223f4794cc8696d49ae2f29
SHA256 d09b49f2a30dcc13b7f0de8242fa57d0bdeb22f3b7e6c224be73bc4dd98d3c26
SHA512 0396ea24a6744d48ce18f9ccb270880f74c4b6eab40f8f8baf5fd9b4ad2ac79b830f9b33c13a3fec0206a95ad3824395db6b1825302d1d401d26bdc9eef003b2

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll

MD5 c0c8790510471f12f3c4555e5f361e8e
SHA1 7adffc87c04b7df513bb163c3fbe9231b8e6566a
SHA256 60bd8f0bd64062292eff0f5f1a91347b8d61fbe3f2e9b140112501770eae0b80
SHA512 4f71aa0942f86e86f787036dc60eaea33af0c277f03cf1e551aaaba48dad48593bcceeccc359efbf18ef99cf49f2d46b4c17159a531ffb1c3a744abce57219eb

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll

MD5 7243d672604766e28e053af250570d55
SHA1 7d63e26ffb37bf887760dc28760d4b0873676849
SHA256 f24a6158d7083e79f94b2088b2ea4d929446c15271a41c2691b8d0679e83ef18
SHA512 05b0edf51f10db00adc81fa0e34963be1a9f5c4ca303a9c9179c8340d5d2700534c5b924005556c89c02ac598ba6c614ee8ab8415f9ad240417529e5e0f6a41b

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll

MD5 6f9f9d52087ae4d8d180954b9d42778b
SHA1 67419967a40cc82a0ca4151589677de8226f9693
SHA256 ef1d71fe621341c9751ee59e50cbec1d22947622ffaf8fb1f034c693f1091ef0
SHA512 22a0488613377746c13db9742f2e517f9e31bd563352cc394c3ae12809a22aa1961711e3c0648520e2e11f94411b82d3bb05c7ea1f4d1887aacf85045cf119d7

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 56486925434ebcb5a88dd1dfa173b3d0
SHA1 f6224dd02d19debc1ecc5d4853a226b9068ae3cd
SHA256 4f008aa424a0a53a11535647a32fabb540306702040aa940fb494823303f8dce
SHA512 7bb89bd39c59090657ab91f54fb730d5f2c46b0764d32cfa68bb8e9d3284c6d755f1793c5e8722acf74eb6a39d65e6345953e6591106a13ab008dcf19863ae49

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll

MD5 a639c64c03544491cd196f1ba08ae6e0
SHA1 3ee08712c85aab71cfbdb43dbef06833daa36ab2
SHA256 a4e57620f941947a570b5559ca5cce2f79e25e046fcb6519e777f32737e5fd60
SHA512 c940d1f4e41067e6d24c96687a22be1cb5ffd6b2b8959d9667ba8db91e64d777d4cd274d5877380d4cfef13f6486b4f0867af02110f96c040686cc0242d5234b

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll

MD5 e1debeda8d4680931b3bb01fae0d55f0
SHA1 a26503c590956d4e2d5a42683c1c07be4b6f0ce7
SHA256 a2d22c5b4b38af981920ab57b94727ecad255a346bb85f0d0142b545393a0a2d
SHA512 a9211f5b3a1d5e42fde406aab1b2718e117bae3dd0857d4807b9e823a4523c3895cf786519d48410119d1838ab0c7307d6ef530b1159328350cc23ebc32f67cd

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 6e46e5cca4a98a53c6d2b6c272a2c3ba
SHA1 bc8f556ee4260cce00f4dc66772e21b554f793a4
SHA256 87fca6cdfa4998b0a762015b3900edf5b32b8275d08276abc0232126e00f55ce
SHA512 cfeea255c66b4394e1d53490bf264c4a17a464c74d04b0eb95f6342e45e24bbc99ff016a469f69683ce891d0663578c6d7adee1929cc272b04fcb977c673380f

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll

MD5 a37faea6c5149e96dc1a523a85941c37
SHA1 0286f5dafffa3cf58e38e87f0820302bcf276d79
SHA256 0e35bebd654ee0c83d70361bcaecf95c757d95209b9dbcb145590807d3ffae2e
SHA512 a88df77f3cc50d5830777b596f152503a5a826b04e35d912c979ded98dc3c055eb150049577ba6973d1e6c737d3b782655d848f3a71bd5a67aa41fc9322f832e

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll

MD5 6486e2f519a80511ac3de235487bee79
SHA1 b43fd61e62d98eea74cf8eb54ca16c8f8e10c906
SHA256 24cc30d7a3e679989e173ddc0a9e185d6539913af589ee6683c03bf3de485667
SHA512 02331c5b15d9ee5a86a7aaf93d07f9050c9254b0cd5969d51eff329e97e29eea0cb5f2dccfe2bfa30e0e9fc4b222b89719f40a46bd762e3ff0479dbac704792c

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll

MD5 540d7c53d63c7ff3619f99f12aac0afe
SHA1 69693e13c171433306fb5c9be333d73fdf0b47ed
SHA256 3062bd1f6d52a6b830dbb591277161099dcf3c255cff31b44876076069656f36
SHA512 ce37439ce1dfb72d4366ca96368211787086948311eb731452bb453c284ccc93ccecef5c0277d4416051f4032463282173f3ec5be45e5c3249f7c7ec433f3b3e

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 77e9c54da1436b15b15c9c7e1cedd666
SHA1 6ce4d9b3dc7859d889d4ccd1e8e128bf7ca3a360
SHA256 885bd4d193568d10dd24d104ccf92b258a9262565e0c815b01ec15a0f4c65658
SHA512 6eecf63d3df4e538e1d2a62c6266f7d677daebd20b7ce40a1894c0ebe081585e01e0c7849ccdf33dd21274e194e203e056e7103a99a3cd0172df3ed791dce1c2

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll

MD5 b72698a2b99e67083fabd7d295388800
SHA1 17647fc4f151c681a943834601c975a5db122ceb
SHA256 86d729b20a588b4c88160e38b4d234e98091e9704a689f5229574d8591cf7378
SHA512 33bdfe9ac12339e1edab7698b344ab7e0e093a31fedc697463bbe8a4180bb68b6cc711a2ceb22ce410e3c51efaa7ea800bad30a93b3ac605b24885d3ef47cb7a

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll

MD5 89766e82e783facf320e6085b989d59d
SHA1 a3ffb65f0176c2889a6e4d9c7f4b09094afb87ed
SHA256 b04af86e7b16aada057a64139065df3a9b673a1a8586a386b1f2e7300c910f90
SHA512 ea4df1b2763dde578488bb8dd333be8f2b79f5277c9584d1fc8f11e9961d38767d6a2da0b7b01bad0d002d8dcf67cca1d8751a518f1ee4b9318081f8df0422c7

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll

MD5 769bf2930e7b0ce2e3fb2cbc6630ba2e
SHA1 b9df24d2d37ca8b52ca7eb5c6de414cb3159488a
SHA256 d10ff3164acd8784fe8cc75f5b12f32ce85b12261adb22b8a08e9704b1e5991a
SHA512 9abdcccc8ee21b35f305a91ea001c0b8964d8475680fa95b4afbdc2d42797df543b95fc1bcd72d3d2ccc1d26dff5b3c4e91f1e66753626837602dbf73fc8369b

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 bedc3d74c8a93128ef9515fd3e1d40eb
SHA1 d207c881751c540651dbdb2dbd78e7ecd871bfe1
SHA256 fefc7bc60bd8d0542ccea84c27386bc27eb93a05330e059325924cb12aaf8f32
SHA512 cdcbce2dbe134f0ab69635e4b42ef31864e99b9ab8b747fb395a2e32b926750f0dd153be410337d218554434f17e8bc2f5501f4b8a89bb3a6be7f5472fb18360

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll

MD5 c9649c9873f55cb7cdc3801b30136001
SHA1 3d2730a1064acd8637bfc69f0355095e6821edfd
SHA256 d05e1bd7fa00f52214192a390d36758fa3fe605b05a890a38f785c4db7adef1f
SHA512 39497baa6301c0ad3e9e686f7dfa0e40dbea831340843417eecc23581b04972facc2b6d30173cc93bf107a42f9d5d42515ef9fd73bb17070eb6f54109dc14e3e

memory/1372-735-0x000000006DBD0000-0x000000006DC1B000-memory.dmp

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll

MD5 13b358d9ecffb48629e83687e736b61d
SHA1 1f876f35566f0d9e254c973dbbf519004d388c8d
SHA256 1cf1b6f42985016bc2dc59744efeac49515f8ed1cc705fe3f5654d81186097cd
SHA512 08e54fa2b144d5b0da199d052896b9cf556c0d1e6f37c2ab3363be5cd3cf0a8a6422626a0643507aa851fddf3a2ea3d42a05b084badf509b35ec50cb2e0bb5ce

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll

MD5 cedbeae3cb51098d908ef3a81dc8d95c
SHA1 c43e0bf58f4f8ea903ea142b36e1cb486f64b782
SHA256 3cb281c38fa9420daedb84bc4cd0aaa958809cc0b3efe5f19842cc330a7805a0
SHA512 72e7bdf4737131046e5ef6953754be66fb7761a85e864d3f3799d510bf891093a2da45b684520e2dbce3819f2e7a6f3d6cf4f34998c28a8a8e53f86c60f3b78a

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll

MD5 8fd05f79565c563a50f23b960f4d77a6
SHA1 98e5e665ef4a3dd6f149733b180c970c60932538
SHA256 3eb57cda91752a2338ee6b83b5e31347be08831d76e7010892bfd97d6ace9b73
SHA512 587a39aecb40eff8e4c58149477ebaeb16db8028d8f7bea9114d34e22cd4074718490a4e3721385995a2b477fe33894a044058880414c9a668657b90b76d464f

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll

MD5 7041205ea1a1d9ba68c70333086e6b48
SHA1 5034155f7ec4f91e882eae61fd3481b5a1c62eb0
SHA256 eff4703a71c42bec1166e540aea9eeaf3dc7dfcc453fedcb79c0f3b80807869d
SHA512 aea052076059a8b4230b73936ef8864eb4bb06a8534e34fe9d03cc92102dd01b0635bfce58f4e8c073f47abfd95fb19b6fbfcdaf3bc058a188665ac8d5633eb1

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll

MD5 e87192a43630eb1f6bdf764e57532b8b
SHA1 f9dda76d7e1acdbb3874183a9f1013b6489bd32c
SHA256 d9cd7767d160d3b548ca57a7a4d09fe29e1a2b5589f58fbcf6cb6e992f5334cf
SHA512 30e29f2ffdc47c4085ca42f438384c6826b8e70adf617ac53f6f52e2906d3a276d99efcc01bf528c27eca93276151b143e6103b974c20d801da76f291d297c4c

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 e46bc300bf7be7b17e16ff12d014e522
SHA1 ba16bc615c0dad61ef6efe5fd5c81cec5cfbad44
SHA256 002f6818c99efbd6aee20a1208344b87af7b61030d2a6d54b119130d60e7f51e
SHA512 f92c1055a8adabb68da533fe157f22c076da3c31d7cf645f15c019ce4c105b99933d860a80e22315377585ae5847147c48cd28c9473a184c9a2149b1d75ee1b1

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll

MD5 c1fdd419184ef1f0895e4f7282d04dc5
SHA1 42c00eee48c72bfde66bc22404cd9d2b425a800b
SHA256 e8cf51a77e7720bd8f566db0a544e3db1c96edc9a59d4f82af78b370de5891f7
SHA512 21aa4d299d4c2eab267a114644c3f99f9f51964fd89b5c17769a8f61a2b08c237e5252b77ca38f993a74cc721b1b18e702c99bdfa39e0d43d375c56f126be62c

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll

MD5 0fb91d94f6d006da24a3a2df6d295d81
SHA1 db8ae2c45940d10f463b6dbecd63c22acab1eee2
SHA256 e08d41881dbef8e19b9b5228938e85787292b4b6078d5384ba8e19234a0240a8
SHA512 16d16eb10031c3d27e18c2ee5a1511607f95f84c8d32e49bbacee1adb2836c067897ea25c7649d805be974ba03ff1286eb665361036fd8afd376c8edcfabd88c

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll

MD5 1fb62ef7e71b24a44ea5f07288240699
SHA1 875261b5537ed9b71a892823d4fc614cb11e8c1f
SHA256 70a4cd55e60f9dd5d047576e9cd520d37af70d74b9a71e8fa73c41475caadc9a
SHA512 3b66efe9a54d0a3140e8ae02c8632a3747bad97143428aedc263cb57e3cfa53c479b7f2824051ff7a8fd6b838032d9ae9f9704c289e79eed0d85a20a6f417e61

memory/3872-910-0x000000006DBD0000-0x000000006DC1B000-memory.dmp

C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf

MD5 4acd5f0e312730f1d8b8805f3699c184
SHA1 67c957e102bf2b2a86c5708257bc32f91c006739
SHA256 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA512 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf

MD5 137c63c462cb49727526b877d3b4c66d
SHA1 729f4f3de54547e8f9ed1f42b34e88597ffd8222
SHA256 102cf8e49630f54f8711be71db61ff524082620d6519706e93ba07f307a08acf
SHA512 2101cc0716c1ed543714a6c198845743050a590e292e863012fed678b2a1aa48ab86bf5079a915472faa8103da3426740eb3935b172e246eb604c430f561ce38

C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

MD5 6f5b35f602e90da64b386c2c91d6d600
SHA1 2a0abd117294a4562d9df0e7b2413a4ce2479df2
SHA256 8dcdfbcc6f1aa57a62c4cd96580d01ab444eb10eb7cecd25fe746b02aa001abf
SHA512 a6ec763bd37b2baad9f2f6991b0bc2103154031aef6a3b13e17bba5f55d6fcbd29e8791d4c57b06b38d11ab348ee48ee9bbf5425b1fe4234fe9610ac9bebd1bc

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr120.dll

MD5 ad4e507d851623dd1e9582fd771e0e62
SHA1 3e24903799902ad8f4139787d679207d47603910
SHA256 8048762d31e5b569adb1155047208682ce5ca06fbc9c1958396c1d393b032e60
SHA512 fd86537a0a952281030fd33d1a5d0fd32a67ba3ac06d1e643068eef48676384a712c25126b950d730b6f68d796ff5ac6dbfe73e436545b87bbf38b385f303d8c

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

MD5 41712ac0064987f38b56e228f7120bc8
SHA1 87c4f5d3a5b9823a62369d672def9bb1041a7199
SHA256 989d040888b107709555e73fde516a60b06fe17f3afe0fba1713963d94a1410f
SHA512 164e7e069f9cc633e5e6d8277e973d03008d1a952b9c8c12fca5b0a280b58176307597808e80dd9952182ad6430611ceac06a300d39fa5d4cd5d3e60d63daa6f

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp120.dll

MD5 0c64077e2c2bc0e9248fb8f0b179f25b
SHA1 c40a1010e1b79a59c84734e718ab45605df11682
SHA256 7535655a3ce529f880c0bf7ca6b2b4dd6057ed47e3a4ac1000a2a6e3d08d93d3
SHA512 c992ef4b719ee49508530340e228ddef317c122a07df576780412199be7a1694c21028c7a41204609058534cf67081f465248b892c214e65eded9efc455113da

C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

MD5 3e29914113ec4b968ba5eb1f6d194a0a
SHA1 557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256 c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA512 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

MD5 52c43baddd43be63fbfb398722f3b01d
SHA1 be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA256 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA512 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

MD5 ba46e6e1c5861617b4d97de00149b905
SHA1 4affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA256 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512 bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

MD5 2d40f6c6a4f88c8c2685ee25b53ec00d
SHA1 faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA256 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA512 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

MD5 01c4246df55a5fff93d086bb56110d2b
SHA1 e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256 c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA512 39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

MD5 1008967f39265e740f3c12de292f8dcb
SHA1 3ff026ee345387451ca44bc04eabaaba6e4ddb70
SHA256 4dae412c736a85f5d6a4ad2fb8a6f193da4bb5d8bb7299212026c00511ecad4b
SHA512 099a5953b4d7ce36892e42777facb7ceb6d43e1631ba1c7bc7e41f1c1ebfe07b82af6568121df11692044704194705ff8ff80e1cc0a91f5a9971ccb928a6c6df

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

MD5 f96c25bb4feee47fe4111660fa0706b3
SHA1 284126ce4f80b6bfd6037f6137dee90c941e4eec
SHA256 9b5d44c60b18b36bcc1cc0e28585ae168d92239beda197d739c3e64edb229867
SHA512 b4297728f031863ccfb50de52d18f443d6ae893322e2f6b315497e187329275fbf41828867e614b35e9ff60ac6e3e1ae77d876fa8e131336c2d6a1fb6ff7db36

C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc

MD5 ea0134409ce0ad5317988f4f9da90df7
SHA1 42ca706a700e5a8281cbe500840c66c1b7255899
SHA256 5aeab7ae060279a9deeb6598fa1770b004d1fe9cbe9360d6a88d500e08fe6885
SHA512 5f9bda24b46151aa0b7a0a19ea1ee0a4c15f8b110ee39437b38deee271dc06ec708133d6d4a13d8a2748ee4b319e7647a8f235622617997a26647d3fbf30dd76

C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

MD5 aa762fa34781c6e8da629cf0d1933cd9
SHA1 34bea46040c39d0decf43a085f752f5d55682883
SHA256 bfbef6660ca181b76c0e93519e49104c6ccafac00cccaa2b9c6d71dfee2b9d8d
SHA512 7507fbb9ed60f41e020b65f29f233c9af46e9dc0020a9e0548d6920d479687653a0742e17225c8650c4d4e8d915aa5597a149ba5ab22416e06a0a67414b35f3f

C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

MD5 8fa00933f2be3aca4d7c68e5beb52398
SHA1 9bc333578d03c3e81badfae8bdb07bdae030541b
SHA256 06fdf9ef749dbf3f5cc2ae2321b3704ba0d35544d6cc2b998191990e3f64f555
SHA512 067dde8c05d5ee74ea2c648b4baf2ab43e078c19609ddd7648532877d0031cc2a77e74506a642dd69d98a133d8e8999aa6cf4f1f60c09efe9c50e220351da24f

C:\LDPlayer\LDPlayer9\dnplayer.exe

MD5 ec0aacce6a42a7dd59054a9225e0ac28
SHA1 48533211595f723bb14e6657934ee34905342748
SHA256 eda720ed20b86dfc4255ca45dd1e9362dd2aaf7764a5cd9b82c2cbfa47107592
SHA512 82b62de7248165aaaa4ce838bc91c89a634b4a20f6dc4b0e6a7f7c10f5a55c43756bc8a0c8a08393a3b107c2aa8067f542ed362cc8712d8981a0dcda3241d354

memory/4804-1170-0x00000000010B0000-0x00000000010C6000-memory.dmp

C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

MD5 8f538528ce787dc0f7528acf6a87f514
SHA1 10461b25159e124c0c2816266cf1e22975f271d7
SHA256 d087c07a91cb12c862d2b39e9fd6a07f7c94b1cbf3bfa33d66caf673ccc1170f
SHA512 8c1f292202b147e06b0fd9541806a3515d1274476e3f255558ee80229ef14ccbcc2724383ba46587dd69ffa673b2423dca4c68c1d95f232de8b52bd1df03e966

memory/2380-1222-0x000000006EF90000-0x000000006EFE9000-memory.dmp

memory/2380-1218-0x000000006F720000-0x000000007111B000-memory.dmp

memory/2380-1221-0x000000006EFF0000-0x000000006F06A000-memory.dmp

memory/2380-1220-0x000000006F070000-0x000000006F0EE000-memory.dmp

memory/2380-1219-0x000000006F170000-0x000000006F716000-memory.dmp

memory/4804-1185-0x00000000369D0000-0x00000000369E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

MD5 6de0ef4a83aadebe5d7e07a64fc9d220
SHA1 f2162f30992ced0b882bfced0477ebf62b7ce186
SHA256 b7c4de833b0e2689724414802fbdda35d7cc1c4529eb95282fd0ffd175119008
SHA512 eebe007e0ece66c08138720bb46864470826a6b49a8edb1fd1593c4efade4bbf32c764d205383ef4745a738a1242f92e4c396abeb56e6ff9e785977ce8f646da

memory/4804-1229-0x000000006EFF0000-0x000000006F06A000-memory.dmp

memory/4804-1227-0x000000006F170000-0x000000006F716000-memory.dmp

memory/4804-1228-0x000000006F070000-0x000000006F0EE000-memory.dmp

memory/4804-1231-0x000000006EF90000-0x000000006EFE9000-memory.dmp

memory/4804-1230-0x000000006F720000-0x000000007111B000-memory.dmp

memory/2340-1253-0x000001969E520000-0x000001969E530000-memory.dmp

memory/2340-1272-0x000001969D6F0000-0x000001969D6F2000-memory.dmp

memory/2340-1237-0x000001969E420000-0x000001969E430000-memory.dmp

memory/3036-1281-0x0000022A3FD80000-0x0000022A3FE80000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ed986dd4261c4306a6f60fc921f4b3e5
SHA1 be020a808fc92825b60a337f739ccaf8446e0390
SHA256 363b5401fef64a0330eddf2c5657e2de60512d6fe2e101f031047528c2ee53da
SHA512 f30eb9e6c6e1d4032c7a8f5b3898382a305b256c5fab9158b1d3da1c894fd60a016b75472313f397bf1848b492a63108f8b82dede9faddcbe7f7d142f444f35c

memory/396-1341-0x000001B719EE0000-0x000001B719EE2000-memory.dmp

memory/396-1339-0x000001B719E00000-0x000001B719E02000-memory.dmp

memory/396-1337-0x000001B719D40000-0x000001B719D42000-memory.dmp

memory/396-1372-0x000001B71B800000-0x000001B71B900000-memory.dmp

memory/396-1381-0x000001B719DD0000-0x000001B719DD2000-memory.dmp

memory/396-1379-0x000001B719D50000-0x000001B719D52000-memory.dmp

memory/396-1377-0x000001B719D20000-0x000001B719D22000-memory.dmp

memory/396-1494-0x000001B71A640000-0x000001B71A660000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\SVBF352T\favicon[1].ico

MD5 a0c760136e1b6f7633a3582f734c53eb
SHA1 00176cd4ab6423fb4673ad856e79447b93dd05fe
SHA256 c7eb5447c806948853f817df7f8a1871a8707987d5606e39b145d69f7dc29cd1
SHA512 b5f9d0e6fc9346ac34a87fc5cb42bf375a0e2d58eff5fb53dfae4a1e576940cb2f57f921be390bb66b5ebc7b174b9d88d8519a27773624f1dabc960e077ecf65

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF562744C3AD7175EC.TMP

MD5 0d16f7746a76250cc98d28b11d9ce380
SHA1 23b6b17f7b58316e7018f2e5ebdf5656a9e7fc78
SHA256 8b748340ef94271ababf8d4c428112a4bcabd189681a1f493b3060b8075a9b82
SHA512 d6b82d6fe93f4ab3054e4aa5eec9482dbb20595522905b5620e6379238a9e12f7779e107d79f539a52492602ff27f3dded2e32f1daea17febeed4a8493d9e190

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\EFOV6XXD\www.youtube[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\EFOV6XXD\www.youtube[1].xml

MD5 58caf11b201fcd1e1ba36610339bf686
SHA1 5eee1e2ffb40e6cadfd0a8f3acc6cd4582feb856
SHA256 b2a87be68682229fc1cd610da913df9696829765e306ce4eb930b715beb8475c
SHA512 20b36a581caa1eb761e53d985dbaae859c158f7b6fb27d990fc55c8a26f13970134a8d92d36a6a9d4dfa5341649b6688fde247b4e1a45402daad49d833c75293

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\EFOV6XXD\www.youtube[1].xml

MD5 8d9997b9e3101dbf34eab0c6fd4d0e3e
SHA1 727d571025a3b59889d6eda32a4d114525b42f42
SHA256 fc5d1f48a7fdcc3e4f8ccf802fa58e006d526a88164325e033367586e0d16128
SHA512 5bfc82e29f2d2f78e051f8eb4dad858e9ac9a3fd64b3eee3f1636c4cea15d4d7b3d737417824c73b6d9dfe89ba79148e68af875f4559da3bcddf872355618574

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 03:26

Reported

2024-06-08 03:28

Platform

win11-20240426-en

Max time kernel

91s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_tw_35034_ld.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 encdn.ldmnq.com udp
DE 18.245.46.54:443 encdn.ldmnq.com tcp
DE 18.245.46.54:443 encdn.ldmnq.com tcp
US 8.8.8.8:53 10.2.138.108.in-addr.arpa udp
US 8.8.8.8:53 64.39.245.18.in-addr.arpa udp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
US 3.161.82.43:443 cdn.ldplayer.net tcp
N/A 52.111.243.29:443 tcp

Files

N/A