Analysis Overview
Threat Level: Likely malicious
The file https://drive.usercontent.google.com/download?id=1kF2HxJ74ZFElgL8Jbj7WYKRmQ_67EBnF&export=download&authuser=0 was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Creates new service(s)
Possible privilege escalation attempt
Executes dropped EXE
Modifies file permissions
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Enumerates connected drives
Checks installed software on the system
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 16:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 16:32
Reported
2024-06-18 16:38
Platform
win10v2004-20240226-en
Max time kernel
278s
Max time network
292s
Command Line
Signatures
Creates new service(s)
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\FuncName = "WVTAsn1SpcLinkDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "WVTAsn1CatMemberInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Decode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubDefCertInit" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\LDPlayer_9_SuperLite.exe | N/A |
| N/A | N/A | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\dismhost.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| N/A | N/A | F:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
| N/A | N/A | F:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\takeown.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SysWOW64\takeown.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayer9box\Ld9VMMR0.r0 | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVBoxDbg.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\GLES_CM.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVMREQ.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxProxyStub.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetAdp6Install.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SDL.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\EGL.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\capi.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcr120.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-memory-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5WinExtras.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBInstall.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\crashreport.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetLwfInstall.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxRT.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\capi.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-runtime-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\libeay32.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\vbox-img.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMMPreload.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\ucrtbase.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qoffscreen.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstPDMAsyncCompletion.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBTest.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxEFI64.fd | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\ossltest.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxRes.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSDL.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDbg.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-conio-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\VBoxRT-x86.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-errorhandling-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp120.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetFltUninstall.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qwindows.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\regsvr32_x64.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-process-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxHostChannel.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMM.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\ossltest.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0 | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxInstallHelper.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup.sys | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxNetNAT.exe | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\dismhost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | F:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | F:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | F:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" | F:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" | F:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632020456644798" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6FA-430E-6020-6A505D086387}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\NumMethods | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ = "IGuestPropertyChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC}\NumMethods\ = "42" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\NumMethods\ = "26" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0979-486c-baa1-3abb144dc82d} | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\ = "IRangedIntegerFormValue" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7F29-4AAE-A627-5A282C83092C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\ = "IVirtualBox" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3534-4239-B2DE-8E1535D94C0B} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\NumMethods\ = "13" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-762E-4120-871C-A2014234A607} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486E-472F-481B-969746AF2480}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}\ = "IGuestProcessOutputEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\ = "ISharedFolder" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7006-40D4-B339-472EE3801844} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\ProgId | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2354-4267-883F-2F417D216519}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient.1\ = "VirtualBoxClient Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04d0-4db6-8d66-dc2f033120e1} | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-057D-4391-B928-F14B06B710C5}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9849-4F47-813E-24A75DC85615}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\NumMethods\ = "15" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00C2-4484-0077-C057003D9C90}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8084-11E9-B185-DBE296E54799}\NumMethods\ = "9" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-394D-44D3-9EDB-AF2C4472C40A}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7966-481D-AB0B-D0ED73E28135}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\NumMethods\ = "31" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ = "IVirtualBoxClient" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\NumMethods\ = "14" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4ba3-7903-2aa4-43988ba11554} | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\LDPlayer_9_SuperLite.exe | N/A |
| N/A | N/A | F:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| N/A | N/A | F:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.usercontent.google.com/download?id=1kF2HxJ74ZFElgL8Jbj7WYKRmQ_67EBnF&export=download&authuser=0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa06949758,0x7ffa06949768,0x7ffa06949778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ld9.rar"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5720 --field-trial-handle=1876,i,5380849579993327879,13029015017973101746,131072 /prefetch:2
C:\Users\Admin\Desktop\LDPlayer_9_SuperLite.exe
"C:\Users\Admin\Desktop\LDPlayer_9_SuperLite.exe"
F:\LDPlayer\LDPlayer9\dnrepairer.exe
"F:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=197176
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "F:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "F:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "F:\LDPlayer\LDPlayer9\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "F:\LDPlayer\LDPlayer9\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM Ld9BoxHeadless.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM Ld9BoxSVC.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM Ld9VirtualBox.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM VBoxManage.exe /T
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\dismhost.exe {7B888A1C-4412-4061-8063-DD06985D9066}
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM Ld9BoxHeadless.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM Ld9BoxSVC.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM Ld9VirtualBox.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM VBoxManage.exe /T
F:\LDPlayer\LDPlayer9\driverconfig.exe
"F:\LDPlayer\LDPlayer9\driverconfig.exe"
F:\LDPlayer\LDPlayer9\dnplayer.exe
"F:\LDPlayer\LDPlayer9\dnplayer.exe" from=install
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x3b8
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-54d7-000000000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-54d7-000000000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-54d7-000000000000
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| US | 8.8.8.8:53 | ad.ldplayer.net | udp |
| NO | 54.240.174.32:443 | encdn.ldmnq.com | tcp |
| NO | 54.240.174.22:443 | ad.ldplayer.net | tcp |
| NO | 54.240.174.32:443 | encdn.ldmnq.com | tcp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 32.174.240.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.174.240.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.241.230.54.in-addr.arpa | udp |
| NO | 54.240.174.32:443 | encdn.ldmnq.com | tcp |
| NO | 54.240.174.32:443 | encdn.ldmnq.com | tcp |
| NO | 54.240.174.32:443 | encdn.ldmnq.com | tcp |
| NO | 54.240.174.32:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | advertise.ldplayer.net | udp |
| US | 163.181.154.248:443 | advertise.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 2.217.230.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | res.ldplayer.net | udp |
| US | 163.181.154.241:443 | res.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 248.154.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.181.163.in-addr.arpa | udp |
| US | 163.181.154.241:443 | res.ldplayer.net | tcp |
| US | 163.181.154.241:443 | res.ldplayer.net | tcp |
| US | 163.181.154.248:443 | advertise.ldplayer.net | tcp |
| NO | 54.240.174.22:443 | ad.ldplayer.net | tcp |
| NO | 54.240.174.22:443 | ad.ldplayer.net | tcp |
| US | 8.8.8.8:53 | apien.ldmnq.com | udp |
| NO | 54.240.174.44:80 | apien.ldmnq.com | tcp |
| NO | 54.240.174.44:443 | apien.ldmnq.com | tcp |
| NO | 54.240.174.44:443 | apien.ldmnq.com | tcp |
| US | 8.8.8.8:53 | 44.174.240.54.in-addr.arpa | udp |
Files
\??\pipe\crashpad_3588_RECXJSIRZJHRLCQF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 42c9bf1dfd5b9d692a7fe752d5f135e3 |
| SHA1 | fe9dd55ac2e5cade069138cf336a61d89f079a15 |
| SHA256 | c16b0b7a3d9033648a7ed08131ad5c01af280a02b9bb640e3adf914252521edc |
| SHA512 | 0dc37116a48487797e8a4e74424166710504036546a1853373ad4eb6c14b46f480169a97a660cb6fb2d2427cab849726d57cca8a5b30997cdbca7cb2f1255cb2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dbba659fed3ee92e62b34b90771ca279 |
| SHA1 | 1055cc38abf2f2b20b554866815012b4e9ccff17 |
| SHA256 | d7c8ba079c36f64372ad23f7b39773f2949cea19fe516d3cc4c2ba928590f588 |
| SHA512 | c58d4fb6e888b7fb0880ac7b5aaf4277f7a843e846342a91a46ede733410dbe0cabf3798f5c7deb6f9d0edb3ecd38955a3c144432686cf0ad2faed3f00defd10 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c8d02c7f73391dfc22459bb439086d88 |
| SHA1 | 26bb414628b6f0d71681341b654a6834d30ecccb |
| SHA256 | 3195224ddf3539639c0c6d8323c2406c3811ada2ecdc63b50237ff93760eb70a |
| SHA512 | 8880f8d445f47024d3e539a493837430e736fd267578c68b763c4a67225e20f1c8e95c0ec2188cddee81e832414f096c489be094cea37edbfb18b29e4951d1c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c2e0855c-e435-41c5-b178-92ea87674924.tmp
| MD5 | 05ea976364dbcfa63b6cbad64c8bc00f |
| SHA1 | 07b99b883cb445712d4df5d426dfc3fb78ebc15a |
| SHA256 | 99ac1bd9abb14ff8a3a3d9d1c308ecdb489b98c974e0614d6254e3c98b8517ef |
| SHA512 | b3bb8b979276d34dc6fd773949559723eef54ccabadbaf5a8d28018009964b717e693ba867ae91c28b876c2427d6418314ceb1e0002fd0c279b3521b21f5e90f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | da58dd7100ffba43e336e298d92618a4 |
| SHA1 | 50b3e660d897ee736e77666119df0a2ce077a4cc |
| SHA256 | 2a181e963b89395b319e307d27fbc2177c37f274d1ce4190b74b7e423d2c7c3e |
| SHA512 | 2afb956e982fa6d26dc3eb4bce5e8f834824c2eb947520c0ad6882b935172fd636b4e08a1480afcc79ef3a070d1c639d478a3bd323d10cacc0dca878d9c770ac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8b734513e8847b5538e5f6b2a0afdbbc |
| SHA1 | 3dc9ff0c40a43b0b857269480b66a0f136757684 |
| SHA256 | 73e8d3abd18e031cae4d7bfa56af32e62dc717f6045d1d31b4d647288b92165a |
| SHA512 | 65cef644b7d13a8c7d9e163bf022dd96a6346185ae7cc6b42b1b116ab404cfed78a501c362b02f165efc6246b809a09f5978bcc9516bfe783087e94888be0b40 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 2f00561b86cf752adf0d6a9c3a553f60 |
| SHA1 | 1e9bcd308abd55c3dba71f9001166bc621f3161e |
| SHA256 | 4337319f03618bae11049d4352a5c0910d86ba75d3fca42e39ac884c5877637b |
| SHA512 | c68dae4f8d53cd9370792308efbb7ef5263b09691385a03cd09dc5d65dca28fa25d82b2b2bee54b56db3f9af33f5c3ced52821de679c2daeb71e25836e8c3660 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe599ca4.TMP
| MD5 | ec2d77717b2518af51df65d6b9b6b2f9 |
| SHA1 | 3cf1dc9253b1d9278cd35d77104bb2a03561b468 |
| SHA256 | e7e841fa91d76d5795e0187678338137aab6e278f8d5c73faa6daf959a394f05 |
| SHA512 | 8fe67f044a2d58fdb7ec09bafd3fedc2faa51bc246d6f36caf644fe56cf693a72d5444ec50996705f42af8397e034c64dd177d573da4a5d9fa5f133338c1c655 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f634ec8a52bbdaaf8580a502dbfed26d |
| SHA1 | 14425b5233f93c74d7c4612d4daa3b55ecbda4b8 |
| SHA256 | 2184e59ed2d6629586139edead2ea0086b3670720bc21832ba5ba5cac16e3701 |
| SHA512 | ca9b8af6066215ca270409ef805db632665f8788e90d9e5880eb0661723b95e8bfec9966369f30f033d368446cde86ff7effa1c85b045e5fefcc84fcc56c6759 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 9ecc2df7c96ae82ce1ec1b9c84345df7 |
| SHA1 | 9f71c969b8064d3747e0b883f39df787b7e084f1 |
| SHA256 | c7581b2822590f8a2391b876e777ac2828293661eed329404fdbc34675e17a2b |
| SHA512 | 7b1a8f16b1dc99612c76d4728403abaf5df1d5556bad2ebf95c142f73a3aa395281686933cb0c3b15c0d256e05a79fbd97b034a5dfed48dd6396f9bf743060c5 |
F:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | fed7fc8593d59473d2dd14b6f70a33ac |
| SHA1 | 4b2f7aeef556d8253980545587f0e0eb9f1cd1e4 |
| SHA256 | 503efb6dad821e923063c93bdc4143acf8bed810112d98664417b0a2d4334672 |
| SHA512 | 16291de3396f14589f4ab93758fbbf83926c45c5c2f7e4e1446239864ebb77d9474c96db86c19acbf4755a0b57c270a2d666e2990ccd693c56a63d1737590bee |
F:\LDPlayer\LDPlayer9\msvcr120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
F:\LDPlayer\LDPlayer9\msvcp120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
F:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | b226aec197b33eba21014a6caa700809 |
| SHA1 | 6b80d3c01dd3e5e1a181585099c25fe9ff1c428d |
| SHA256 | 75da8fa73e3f9652f4b43c491f4fa44fcd40bc7d6dc71f82c04f19244b404171 |
| SHA512 | 36ad64d6f5996b7f6a4a0b8e04a5423fe541347dedb8bd0878feab957f665c680e938716efbdb345a1879c4055140b069748700e04686a5d19d6945b2c472cca |
F:\LDPlayer\LDPlayer9\vms\config\leidian0.config
| MD5 | e462e8e22deae6b010068e6f7edbe77f |
| SHA1 | 89c05720a591eff58f83c92de1bb685f13790579 |
| SHA256 | 730d273206cd9405886e9c4134a62c54e795e7678cb752fc806e0ba696108e42 |
| SHA512 | 2aade052c95f0fb47540a0595e9ddc6a62f09193f854ae692a8b71eb9c4e62d60db0f0ad1a23713598d12cc915c4245cb2f60ec09596d500f99543c0adc2de9c |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 84fd9d3c2cddd5418afd630f9ff6df10 |
| SHA1 | 3231629c24cc74e776007381ebdb6836d4180db3 |
| SHA256 | 2d5f658a512c2ca583a8092597d906f68c7e62aee367bc446b784894dd9475fa |
| SHA512 | 61ab4bebc6c64121ffa5a7ceb818defce8fcd796f365675fd748517dd46b05940c489a8c59bd13cc015e20a9f940177494e920e0507b6b5fc94657ebbbd71441 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\AppxProvider.dll.mui
| MD5 | bd0dd9c5a602cb0ad7eabc16b3c1abfc |
| SHA1 | cede6e6a55d972c22da4bc9e0389759690e6b37f |
| SHA256 | 8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3 |
| SHA512 | 86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\AssocProvider.dll.mui
| MD5 | 8833761572f0964bdc1bea6e1667f458 |
| SHA1 | 166260a12c3399a9aa298932862569756b4ecc45 |
| SHA256 | b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5 |
| SHA512 | 2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\CbsProvider.dll.mui
| MD5 | 6c51a3187d2464c48cc8550b141e25c5 |
| SHA1 | a42e5ae0a3090b5ab4376058e506b111405d5508 |
| SHA256 | d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199 |
| SHA512 | 87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\AssocProvider.dll
| MD5 | 94dc379aa020d365ea5a32c4fab7f6a3 |
| SHA1 | 7270573fd7df3f3c996a772f85915e5982ad30a1 |
| SHA256 | dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907 |
| SHA512 | 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\DismCore.dll
| MD5 | b1f793773dc727b4af1648d6d61f5602 |
| SHA1 | be7ed4e121c39989f2fb343558171ef8b5f7af68 |
| SHA256 | af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e |
| SHA512 | 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\DismCore.dll.mui
| MD5 | 7a15f6e845f0679de593c5896fe171f9 |
| SHA1 | 0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4 |
| SHA256 | f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419 |
| SHA512 | 5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\dismprov.dll.mui
| MD5 | 7d06108999cc83eb3a23eadcebb547a5 |
| SHA1 | 200866d87a490d17f6f8b17b26225afeb6d39446 |
| SHA256 | cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311 |
| SHA512 | 9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\DmiProvider.dll
| MD5 | ea8488990b95ce4ef6b4e210e0d963b2 |
| SHA1 | cd8bf723aa9690b8ca9a0215321e8148626a27d1 |
| SHA256 | 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98 |
| SHA512 | 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\FfuProvider.dll.mui
| MD5 | dc826a9cb121e2142b670d0b10022e22 |
| SHA1 | b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9 |
| SHA256 | ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a |
| SHA512 | 038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\FfuProvider.dll
| MD5 | df785c5e4aacaee3bd16642d91492815 |
| SHA1 | 286330d2ab07512e1f636b90613afcd6529ada1e |
| SHA256 | 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271 |
| SHA512 | 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\DmiProvider.dll.mui
| MD5 | b7252234aa43b7295bb62336adc1b85c |
| SHA1 | b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f |
| SHA256 | 73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c |
| SHA512 | 88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\FolderProvider.dll
| MD5 | 4f3250ecb7a170a5eb18295aa768702d |
| SHA1 | 70eb14976ddab023f85bc778621ade1d4b5f4d9d |
| SHA256 | a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461 |
| SHA512 | e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\GenericProvider.dll.mui
| MD5 | d6b02daf9583f640269b4d8b8496a5dd |
| SHA1 | e3bc2acd8e6a73b6530bc201902ab714e34b3182 |
| SHA256 | 9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0 |
| SHA512 | 189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\IBSProvider.dll
| MD5 | 120f0a2022f423fc9aadb630250f52c4 |
| SHA1 | 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7 |
| SHA256 | 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0 |
| SHA512 | 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\IBSProvider.dll.mui
| MD5 | d4b67a347900e29392613b5d86fe4ac2 |
| SHA1 | fb84756d11bfd638c4b49268b96d0007b26ba2fb |
| SHA256 | 4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5 |
| SHA512 | af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\ImagingProvider.dll
| MD5 | 35e989a1df828378baa340f4e0b2dfcb |
| SHA1 | 59ecc73a0b3f55e43dace3b05ff339f24ec2c406 |
| SHA256 | 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d |
| SHA512 | c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\IntlProvider.dll
| MD5 | 510e132215cef8d09be40402f355879b |
| SHA1 | cae8659f2d3fd54eb321a8f690267ba93d56c6f1 |
| SHA256 | 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52 |
| SHA512 | 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\OfflineSetupProvider.dll
| MD5 | 9cd7292cca75d278387d2bdfb940003c |
| SHA1 | bab579889ed3ac9cb0f124842c3e495cb2ec92ac |
| SHA256 | b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f |
| SHA512 | ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\ProvProvider.dll
| MD5 | 70c34975e700a9d7e120aaecf9d8f14b |
| SHA1 | e24d47f025c0ec0f60ec187bfc664e9347dc2c9c |
| SHA256 | a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7 |
| SHA512 | 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\OSProvider.dll.mui
| MD5 | 0633e0fccd477d9b22de4dd5a84abe53 |
| SHA1 | e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9 |
| SHA256 | b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706 |
| SHA512 | e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\OfflineSetupProvider.dll.mui
| MD5 | 015271d46ab128a854a4e9d214ab8a43 |
| SHA1 | 2569deff96fb5ad6db924cee2e08a998ddc80b2a |
| SHA256 | 692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec |
| SHA512 | 6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\MsiProvider.dll.mui
| MD5 | c5e60ee2d8534f57fddb81ffce297763 |
| SHA1 | 78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2 |
| SHA256 | 1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145 |
| SHA512 | ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\MsiProvider.dll
| MD5 | 9a760ddc9fdca758501faf7e6d9ec368 |
| SHA1 | 5d395ad119ceb41b776690f9085f508eaaddb263 |
| SHA256 | 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f |
| SHA512 | 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\LogProvider.dll.mui
| MD5 | 8933c8d708e5acf5a458824b19fd97da |
| SHA1 | de55756ddbeebc5ad9d3ce950acba5d2fb312331 |
| SHA256 | 6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6 |
| SHA512 | ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\IntlProvider.dll.mui
| MD5 | 2eb303db5753eb7a6bb3ab773eeabdcb |
| SHA1 | 44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4 |
| SHA256 | aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f |
| SHA512 | df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427 |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\ImagingProvider.dll.mui
| MD5 | f2e2ba029f26341158420f3c4db9a68f |
| SHA1 | 1dee9d3dddb41460995ad8913ad701546be1e59d |
| SHA256 | 32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3 |
| SHA512 | 3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\GenericProvider.dll
| MD5 | ef7e2760c0a24453fc78359aea3d7869 |
| SHA1 | 0ea67f1fd29df2615da43e023e86046e8e46e2e1 |
| SHA256 | d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a |
| SHA512 | be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f |
C:\Users\Admin\AppData\Local\Temp\A6FAA93D-B770-4A3C-B12C-B54E91E8CECF\en-US\FolderProvider.dll.mui
| MD5 | 22b4a3a1ec3b6d7aa3bc61d0812dc85f |
| SHA1 | 97ae3504a29eb555632d124022d8406fc5b6f662 |
| SHA256 | c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105 |
| SHA512 | 9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c |
C:\Windows\Logs\DISM\dism.log
| MD5 | ad0d7eb1d6865c4f9449f723a5246fec |
| SHA1 | 4c05dd58a30320030714d8cbedb6fac77a1a6d55 |
| SHA256 | 0fb77b8ffb24f1c8754b4bb2f7152c67f26afb1930a86498e3c2ac3bba4ad54a |
| SHA512 | b39e08531378c9fa105f52d7b8c5cd11847e292610c2845f995059d989c726c823161ccca0412e0c3e03cf199f26274becc20b545b00d5352bb514b1f2457066 |
memory/3120-907-0x0000000002FF0000-0x0000000003026000-memory.dmp
memory/3120-908-0x0000000005B00000-0x0000000006128000-memory.dmp
memory/3120-909-0x0000000005AA0000-0x0000000005AC2000-memory.dmp
memory/3120-910-0x0000000006220000-0x0000000006286000-memory.dmp
memory/3120-911-0x0000000006290000-0x00000000062F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umxd5ms0.bn4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3120-921-0x0000000006300000-0x0000000006654000-memory.dmp
memory/3120-922-0x0000000006900000-0x000000000691E000-memory.dmp
memory/3120-923-0x0000000006940000-0x000000000698C000-memory.dmp
memory/3120-924-0x0000000006EF0000-0x0000000006F22000-memory.dmp
memory/3120-925-0x000000006F600000-0x000000006F64C000-memory.dmp
memory/3120-935-0x0000000006EB0000-0x0000000006ECE000-memory.dmp
memory/3120-936-0x0000000007AE0000-0x0000000007B83000-memory.dmp
memory/3120-937-0x0000000008250000-0x00000000088CA000-memory.dmp
memory/3120-938-0x0000000007C10000-0x0000000007C2A000-memory.dmp
memory/3120-939-0x0000000007C80000-0x0000000007C8A000-memory.dmp
memory/3120-940-0x0000000007E90000-0x0000000007F26000-memory.dmp
memory/3120-941-0x0000000007E10000-0x0000000007E21000-memory.dmp
memory/3120-943-0x0000000007E50000-0x0000000007E5E000-memory.dmp
memory/3120-944-0x0000000007F30000-0x0000000007F4A000-memory.dmp
F:\LDPlayer\LDPlayer9\dnplayer.exe
| MD5 | aa073c8fafa21c86248516d910c91b33 |
| SHA1 | 43c1ce6553e41911ebfed6e979cd74819e882a9a |
| SHA256 | 19f6bab19eb86abd59d3b6b0c6e2212451755ba63553c05e538209e345cf3c90 |
| SHA512 | b7feb4a9a5b182bcab3ed35b002328afa8eabc8a80df70427c907e8b0a3967835a64144c90746f159eba2a25606413d70a190de9954869d008e078c6e556c4de |
F:\LDPlayer\LDPlayer9\dnmultiplayer.exe
| MD5 | cc37cc56883bdc7a1508071ba2ac4027 |
| SHA1 | bf98b54bbac13af8932324514bf62885a27ae91b |
| SHA256 | 826c1c78ce3e17509f1079fa62ddd06937126bab76cde9d4e096245c0971e1ef |
| SHA512 | 6832ca6c96478425bcf2fda4097356d0e37bebf3a33acf5ed747cf8be17ec9e4f1500f7154f67bf79f4a8106eb7addd6b8f5ee6c4b5f6bc417c4e7cea9a13a4e |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\灌籃高手@06(YOSHINORI MIYAMASU).jmp
| MD5 | 3a1ea631538635231c83fbb0e6b43172 |
| SHA1 | 793f2f995e22473ed51edf8c819bd137a638a3b8 |
| SHA256 | 55694d965640d1fd88285eedc4ea1888019d19f921f58b19ca3e6a065bdd8e2d |
| SHA512 | b4a86d6ffc76c31407338a405f65f8c16a18a082a52c5968fc10c6c13f037cec79e90a3b46b00794cb4564a1696d0bc965bc02bbb16abfb88dfe7bab1b6d22ca |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟@01[PC Model](Annie).kmp
| MD5 | 60c3815bfe36f047ec0434926d319ced |
| SHA1 | 90f628debbb2bde75ec6939c8a904c21ca05ba14 |
| SHA256 | 9ec1f1bc3fa1a78374783aea451573c935b4338b737ecd4e17faabdf801195ec |
| SHA512 | 095471941ba9ca0eeec27a156ebcce360c10afd9cb8e926e4af755d6e69f3513fae28c1140056016b3768172684418ece1d51b4440a2f693ef1c4d57a4732b75 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\灌籃高手@06(KAEDE RUKAWA).kmp
| MD5 | c6663359083f11a6bddc7a1fbcaa264a |
| SHA1 | ebf1c4102196308d69df6b3ccef8e78de7ed2ef5 |
| SHA256 | 437ec41da7414e58f96d8d04991cacbdd5ef042bb64f22e787d4ce526b17164f |
| SHA512 | cfdb84d44a3977c3404cf6aea5f416047ffbba84eda461eef081b4eca14bb89ef0eda3e6990db72bdca8ef945c395073a0ee165350585815fdb5be677ed31ba4 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟@01[PC Model].kmp
| MD5 | 9428775132f0283a87811f3af2ad2665 |
| SHA1 | bc2c735c1a4465a8330eb6667de95d0e5135920f |
| SHA256 | bdf12a17e6ae1c7489c43030b2a951bf293eb67ee2c4980a3024432f41ce1017 |
| SHA512 | 6980a4e8d333fcefc52dbdeafb1df4c8c7a459bce89851e7a50a940f45c666eb9e921a8a0efdb8720b1d4b2c1dcf04db945f2b2484b76d417f064344b62cd504 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟@02[WASD Model](Aurelion Sol).kmp
| MD5 | e4765481e0f9bb9f97ee64b2987538e1 |
| SHA1 | f743b059b3f5c90f470dac43a4cd7a9cdd769175 |
| SHA256 | 3bdcbbb5bb7e7ad314d998102b9167db29fe0fee899f77dcc6bc0d69c1ccfaa6 |
| SHA512 | 94a598e37cec4e62931eb205b8a0c918dcf89af3e9cd61bb5cf58c15a0886b69d72231d679c4ace820e70446da2823c7912c33e1d69766686249d9b3b3cdf286 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟@02[WASD Model](Kaisa).kmp
| MD5 | 100574d0a4008a70cf2f6bd159d3c4cb |
| SHA1 | 78661c0148e85463eeb2b78163284d09c6213308 |
| SHA256 | 9f18bfbc99c7b8e0f37047daa1e08884151aa57b3072d5a837a2b0188ee1735a |
| SHA512 | b9aceb5c2e3b261bc918a840e06d022a4b671af28f3bbf3901fafe417b4940606558b10675ae21ae980d778894cdb07a13320a932a83a2c0520550a799cb20fc |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟_w@01[PC Model](Annie).kmp
| MD5 | 64ffff6ea4dc45370ce3eb6b9a749e38 |
| SHA1 | aab55ae7eab6ad3257c63cf234634ef6ae5796d1 |
| SHA256 | ebfae17c910125fa35cc8cac824ca7bb7aa375192a08f01bafb0383d41e150c0 |
| SHA512 | 50d8e9f5be2780e7428879adf29eaf1b69b25aa5694a42f0e31b197d3df203a71c84f392acff140a0477af15dc87e893144b539bd829edd1fbbcfaf089d345b4 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟@02[WASD Model](Wukong).kmp
| MD5 | c6795ef98df6ed699012201e9a492885 |
| SHA1 | f3caed409650b21fd98dc40930676ad8673a67a1 |
| SHA256 | 2c3b5866e12aef9af9310c8cf81b77f4085c74a78017d59f6f7cbce8a5077c5c |
| SHA512 | c48ee45de4f1219c1290fcde63ffd664cb65a4976048b097143a8627dca511b2ca99a1912f6e7080d4940b9ac0ed8c80ea1ffd00d985fa7eaf2a54598a035f75 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Aurelion Sol).kmp
| MD5 | 682affc6815ef14407a0ccaa2a9d10b4 |
| SHA1 | 2a2cff38810242cc9b11ee117c140166216d6562 |
| SHA256 | 525e5a747d0929595e768bbe44d06e29a73a90a560062abc3c995b9ea0995993 |
| SHA512 | f19ec184893627a25b993c5628339ea3ae4bba8a72f0358d94987763259f176feb543aa552422a66647def71b236e5c6ee58c97ac6978d4a27b5a1f8c5f1c97d |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Draven).kmp
| MD5 | d61e02e3a98f4b9f5d48583d4ef06183 |
| SHA1 | be5cc1136b519d40e49186f9f1388c32f8178239 |
| SHA256 | 34a9313a9114fee24cfe249b0e67dcd3d40bb6827a70df8254f0e14ef2f6a647 |
| SHA512 | d61b8a181cb870f3970b8930473ab8e4610b152c65076ec0c1f11ae3043b967cae618e641e53d1585cbb14ea63a5baf0199cccc8deeafe8861854c8887c685bd |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\Tom and Jerry[Keyboard operation mode]@01 (Jerry).kmp
| MD5 | 07d721d103540e005fdd784664cfbaa6 |
| SHA1 | ef4d304ed3c0162def5e623c87521a47dd323807 |
| SHA256 | b41b5b9abe8fd82fb5ac32a3d36e6bc16e5ac40987bc59999c489706431f50e9 |
| SHA512 | e2276cd4af34657bb82f44dbedba6df523d788a1c9d24752d3e11925cad73a71e73e1cd8ceafbb45404dd8204267f2ed2ed5793cf73c18bbbb0c5ba4fd73bca4 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟@02[WASD Model](Gragas).kmp
| MD5 | 5ded88ce9d7367113a78b8c336df4673 |
| SHA1 | a51a4a26cad36d5fb534cec1ab4b7a9b824e2ec2 |
| SHA256 | 7b7022382d048ec86e66e42e38658d5631e890e1487cd6623ece44ca09795c21 |
| SHA512 | e0c771951fcf676e3cf56143b22a17fa9b5402ca9d8f176b94e372b275c2ea23e793076242dbdeaf56fa4cd8aa63958b8c3f66d9ee0504a2064c633f5cd4fad0 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟@02[WASD Model](Jax).kmp
| MD5 | 8334cc6e12498113249be9a208c6d3c4 |
| SHA1 | 3bb4994f4cc9d240c9545e1a33b6ed8e5cee81bf |
| SHA256 | 40f0985c85e59bc0c142d8ddbdf86f39dbd0daf084e0457043c4ddcaab14fa48 |
| SHA512 | 3475e239c98ef55dfbd50051660b31116ea5f008779b562727d0a53420a75d0f06a6c40b602ea6d91b3ef0640f1c8e79506c8b7e83307cc5c9e474af97bee20e |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Seraphine).kmp
| MD5 | f04cd4a8f6845ce984435e7b6a1e5cd0 |
| SHA1 | 95d57f868a9e4eec02ea3d66e83747138112187d |
| SHA256 | da34ebebb3e51abcd3f94262f0191e4f9222275622473ce62e40cfa1cdd6ba8f |
| SHA512 | 48b3ba2e7689245bf4cdb7db931a770e2e274e7873191644f45c8fa32417428e1813ff54beba74ef1396aaa55ee550764e52c5b0de3b78e866ad8f30a3f7a56f |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Malphite).kmp
| MD5 | 77c6bdcc7f852110d3fe2abb856453e8 |
| SHA1 | 388d267618745237ed5aa50f686d6308aaa3dd29 |
| SHA256 | 0f857556c697c2afa9520c9fc652fd4f1ae43580db97f4dd26ba3b6df7e886af |
| SHA512 | c03fdc1e9d636f2e86d83ff0999833c7794f3e49afa7e3cf64a76027f89a747da7a3f05b0d9caa797ab201b85ae972188b3e85d47227f5ff0bd190be471ebc11 |
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
| MD5 | 068e97930fc7935a6a4c49eb03815ebd |
| SHA1 | e8d93379b2abbe8f1fce17d06d63d3f1561fc802 |
| SHA256 | f06b7e3ad3413cd36e45a5da15c21c088cdcfdbf3ae3e967a16300777ffc4633 |
| SHA512 | 05ca7a6e265107c025e223771528c3e3cd5e9b30fbeb100a7e667e69f34d56fe9fa824d699a3099bf1d81d6e9a0d6eeff8b888052587148a0380294f08b627ea |
memory/3768-1950-0x00000000371F0000-0x0000000037200000-memory.dmp
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\Cross Fire(challenge).kmp
| MD5 | a84b069f5e42a7f57c9cbdebeed81f40 |
| SHA1 | 999097282d9767434067e1ae3811704bb92589c6 |
| SHA256 | 953b5f074e31c2098da5b339a4bc67bce6304b064f4cf1fff44b62acaaf617f0 |
| SHA512 | 45c2dfe1be759d1cb1d64ca928eabda5de09c1fdf2fc952d201fd41828466a3914c5b929065de03605330398a12594411eb96aa70ed694ead1e51acd7632ffdf |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\DNF@01(←↑↓→ Model).kmp
| MD5 | c04b9a82e393a3c5113f9cedcc13fe9a |
| SHA1 | b3b2e24ef5e0e2e8d5045ede2d8ecdb36c94ab8d |
| SHA256 | 71c4e70b33cb64a3fc29e62d8a5c3ac39c6aa4b9f04ad4d49665ecd065693c0a |
| SHA512 | f4461c0a244d21928f7300b4e025de0ebe3cf8674474338d94527ad372f9270dc31ba9d5b92083da2561aec1a672a18913dafcaa6f05ce07cbb6b13dcf41f275 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\Honor of Kings[WASD Model](Lady Sun).kmp
| MD5 | c06866fe23259332483268fbcd49500f |
| SHA1 | b20a5aecbb26c931044c53bf7bf945762d37cbb5 |
| SHA256 | ccd015930ab8ff67d64ce6fcdc2a5fee4d05d48c8b0ec5e55e7842c4f804af73 |
| SHA512 | bdd004f44d317a2a09c7cd4713402620393ea322396dfb308ae952c75c7a5c34ca4be52d03e25769ad12c33f37a1468f53396d95cfbfe39d7133a87d2e9eea94 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\Honor of Kings[LOL Model](Lady Sun).kmp
| MD5 | abcdb83627e79d3afebd39b3db98a806 |
| SHA1 | ed6079b6d584ae6ad52d6daadfc90b6bf5aa5e5d |
| SHA256 | 4c686d71a2fcb4a049b248c975ebafdba8129c7858d49ad032e7c96ccde7cda4 |
| SHA512 | 5e7b35ef15cf42c65ea41698653503c8657d295cf4e9db0f16e99dfc580665b18fbdd01579f0563c6f7240cb412c851f3855334c835d9e38cd2b5e061d021bf2 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\Hyper Front@02(Mode 1).kmp
| MD5 | a0860b13776e90685e1dc0f115fafff5 |
| SHA1 | 45d8c0cf4a202b0b460025a5e19801e6c1abb8dd |
| SHA256 | 77051be2b580ba6773b6f37edf20f8cf1de47f9682a684875837dd6235be76b3 |
| SHA512 | 9132c2a1980084f8abbbcb35a4b26858230788ba2f4efcd9ab09556ff81a010d63074e045bcb103cb348968be7dfa373b95ba13d624715d092c2195fc01171d4 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\Honor of Kings_w[WASD Model](Lu Bu).kmp
| MD5 | 710dd5e7e6ddd43147ed6675ea49a5b9 |
| SHA1 | 8d842c04cdc9a45c90a7a931dc68b0f8072f308e |
| SHA256 | 8abeecf48308deb39612827547a6fdd238fed4ce5db10157a6992ba7a41e022c |
| SHA512 | d68ab25bb74d04a05510fc2573ff974428ecae0f0ee1cbfd1369922e3d685c7aef60724a45c48aa2a9318409897a47417a090c1fcdd8859d57b6380c7bcd3d1f |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\marvel super war[LOL model](3 skill).kmp
| MD5 | 2b335914fba68be3b639af894ca8d380 |
| SHA1 | f426729f6b8cfc28af5e92c399a33c1a76d9f7dc |
| SHA256 | 18d8fd52a1c193b7e1b989d2e0abbdd054de685acb46bd5337a04963f33d77ba |
| SHA512 | 35157c2c9947a552ab1f951497b6df2cd55317cc2e00bb1af25310191139a56177bd5e3abd3be51a16f6f005fcc585a93ad43134e52f2ab919024e29f595f670 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\PUBG@03(2K Default).kmp
| MD5 | 6a578c88a69ce772cbff87857051df38 |
| SHA1 | 18e460ab0163305f3cd8a724f1df2e0199a801c8 |
| SHA256 | 600c458e3955f36f0802598e7a51675962597e1d3c8cf4c2dd9ed25941b5c6b2 |
| SHA512 | 2db4e45f5ae27a312f802b19f2b56c8f8c4dfb574008b7df83bfafc56da60a05b6ff97d2cd2c105e42d393fd41db2dd2fed949d4981579f3f3ec0090d885f9f2 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\劍靈革命.kmp
| MD5 | a770317d87a87b2f84ece2f958cb473b |
| SHA1 | 5c8840199cda6ecd2210bb56dd7e282b4b18abd8 |
| SHA256 | 0711efe6d95f3630b1e1687ed169ba141d95272dfabec29aeaf7fd5347f034cd |
| SHA512 | af2c86b5e66977bc8f7ba040b4e19b62e9e1fc8e340d9a500f8c1ed8010dee38bf99f4328dce3dec212bc958bedabc78a6ab0d45b55310cee78c9deb09ad3e9d |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Lulu).kmp
| MD5 | 7a6a61866bfa6fd9cdc96758a2232dfd |
| SHA1 | d45ee66610c64686f2993de53b5e38e9745267ba |
| SHA256 | 4527310c9ded77ee983c478783f419b3d41ea850aaefc1470f9b3c74ee16de06 |
| SHA512 | 09fe866ce2626dede45ffafc18c2daa952544bbb7d5c1afbe4437ff287202c4320ce09d416634a51ceb5bd0998d3047cda0c1e26e5d402b2de42d4d4d753c42c |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\英雄联盟_w@02[WASD Model](Fizz).kmp
| MD5 | 59d776b70cdfc45191ac842025098a91 |
| SHA1 | 7c8ce35fe683b37fc8a147dcde160e37418d9d02 |
| SHA256 | e5678f9cdef764f22131b20823bd631bd7c7fa602723de46a4b5204b4c136e9b |
| SHA512 | c16b1b259018fa9c5ce1e62f7bb197040a8a66a9696f7eae71b0fb75e71a0e17f24d491bf40d7d9a4c512631a118314a2605198e660da4940398d19b099bb5ed |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\리니지M.jmp
| MD5 | c9ad0a8d082c9788811b525b024008d8 |
| SHA1 | 276a235b58e3a55539c03b4ec3453729fd7470de |
| SHA256 | beb4913f3a52a1279c3fb9105c48484cb565299a04d18cf679412fd436124d24 |
| SHA512 | 33e9dd124d80c5401ddc37eb563ddf9099a75f845b8ae6ad50cd2a297c5989e9faf10e96e238683d3ea2b24bc728aa223f8561f80129fa6e622a6dc92f527c6f |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\brawlstars@01(smart).kmp
| MD5 | 8093fde0e29bfebfb51f4d2dc40467be |
| SHA1 | ce3bf0e5eddb0c633848c910a60ddece26808dc8 |
| SHA256 | a15e6d1e62838dde497bdbc88a7cb5eba9e0d3d46ff1e1fa57135299f84d6cce |
| SHA512 | 027a18c92ba37077869923a207817260200c6bd7c1d7cd7c5057675ce7e494f9d62a6134fc99d47204cbd6ff00443e1974d97c62813795ddfb747f5eea4363e2 |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\mobile ledends[WASD model](3 skill).kmp
| MD5 | be94aee9a7b2b4aaffda3a5654fdfba1 |
| SHA1 | 25b083ed0246a85cae2531dd3043bbb61e0bca8f |
| SHA256 | 9d49878a8c75435ce06fd592c4074b2884192a1e8107525900e8b7a38513814c |
| SHA512 | 3b89c19de406b98c876b15e75c290394f393edf3a278cca9f243e070d91fdd0308606ca2ba582e98d7886506ecdf2f90946d8d94ec2d616874c4b3fa0368590a |
F:\LDPlayer\LDPlayer9\vms\recommendConfigs\mobile ledends[LOL model](3 skill).kmp
| MD5 | b1d2a671791739f41b04f16a541a39e9 |
| SHA1 | 6780a766cf4035dd96cb0f5bf9392811ed2e4a60 |
| SHA256 | e2c1bde322c4c826e4b84d1ac13fef8eecdaa673273550c3529cfd375b0857a0 |
| SHA512 | e4ce5c50ca878840e9279e0142dc3d753cc858323cbe8519e8b5ce8cb59da28b037e9c0a85882dc457bdbf5be6de7c441107eb3e1ef4d14a0ca03741b067a477 |
F:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
| MD5 | 4d592fd525e977bf3d832cdb1482faa0 |
| SHA1 | 131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef |
| SHA256 | f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6 |
| SHA512 | afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77 |
memory/3768-3873-0x0000000073300000-0x0000000073551000-memory.dmp
memory/3768-3872-0x0000000073560000-0x0000000073584000-memory.dmp