Analysis
-
max time kernel
216s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
LDPlayer9_ens_10040_ld.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
LDPlayer9_ens_10040_ld.exe
Resource
win10v2004-20240709-en
General
-
Target
LDPlayer9_ens_10040_ld.exe
-
Size
3.6MB
-
MD5
c85f57201dc0741041a0fe3bdf5bc52e
-
SHA1
f7fed7c3ba9a1bfb4e64e6bf17820ff53e49f6bc
-
SHA256
fbd3d3274fcd09cfa8ab1649c44c68bae8f717705f21da6004a11dbe08bf7147
-
SHA512
20c0eb8ae8b1b46f1cf1f8f8a35b47fc3d63f6200e4f2ff89f857d2220cdfee9a497ff0125a2de41d3915d8c16963f05746b2ef1b88e02395e0768e2d53f8891
-
SSDEEP
98304:ZykuIhvqfFAioK81r+kgdHNCoBiCV2Hb:c2CfFAiLnHYZ7
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "WVTAsn1CatMemberInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubDefCertInit" regsvr32.exe -
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2016 takeown.exe 3964 icacls.exe 2384 takeown.exe 3212 icacls.exe 4196 takeown.exe 3112 icacls.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2016 takeown.exe 3964 icacls.exe 2384 takeown.exe 3212 icacls.exe 4196 takeown.exe 3112 icacls.exe -
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exedescription ioc process File opened for modification \??\PhysicalDrive0 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LDPlayer9_ens_10040_ld.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation LDPlayer9_ens_10040_ld.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
dnrepairer.exedescription ioc process File created C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat dnrepairer.exe File created C:\Program Files\ldplayer9box\libeay32.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\platforms\qminimal.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\fastpipe2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\SUPInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-namedpipe-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSup.inf dnrepairer.exe File created C:\Program Files\ldplayer9box\NetLwfInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\ossltest.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-runtime-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\vcruntime140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDD2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDDU.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxNetLwf-PreW10.cat dnrepairer.exe File created C:\Program Files\ldplayer9box\NetAdpInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5Core.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\concrt140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES12Translator.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetAdp6Install.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\msvcr120.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxGuestPropSvc.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxRT.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\padlock.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf dnrepairer.exe File created C:\Program Files\ldplayer9box\msvcp120.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5WinExtras.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxAuth.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetLwfUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxManage.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxVMMPreload.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\fastpipe.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxRes.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\regsvr32_x64.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\tstInt.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\capi.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\host_manager2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\platforms\qwindows.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\SUPLoggerCtl.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSVC.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxAuthSimple.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxHostChannel.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-math-l1-1-0.dll dnrepairer.exe -
Drops file in Windows directory 2 IoCs
Processes:
dismhost.exedism.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe -
Executes dropped EXE 16 IoCs
Processes:
LDPlayer.exednrepairer.exedismhost.exe360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exepid process 4516 LDPlayer.exe 1568 dnrepairer.exe 5020 dismhost.exe 2128 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe 2008 Ld9BoxSVC.exe 3648 driverconfig.exe 4380 dnplayer.exe 3636 Ld9BoxSVC.exe 5064 vbox-img.exe 2692 vbox-img.exe 4376 vbox-img.exe 2648 Ld9BoxHeadless.exe 1884 Ld9BoxHeadless.exe 3872 Ld9BoxHeadless.exe 3160 Ld9BoxHeadless.exe 4156 Ld9BoxHeadless.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3368 sc.exe 5036 sc.exe 4100 sc.exe 3856 sc.exe 4088 sc.exe 2832 sc.exe 2412 sc.exe 3964 sc.exe -
Loads dropped DLL 64 IoCs
Processes:
LDPlayer9_ens_10040_ld.exednrepairer.exedismhost.exe360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 3968 LDPlayer9_ens_10040_ld.exe 3968 LDPlayer9_ens_10040_ld.exe 3968 LDPlayer9_ens_10040_ld.exe 1568 dnrepairer.exe 1568 dnrepairer.exe 1568 dnrepairer.exe 1568 dnrepairer.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 2128 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 5020 dismhost.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 2008 Ld9BoxSVC.exe 4784 regsvr32.exe 4784 regsvr32.exe 4784 regsvr32.exe 4784 regsvr32.exe 4784 regsvr32.exe 4784 regsvr32.exe 4784 regsvr32.exe 4784 regsvr32.exe 4544 regsvr32.exe 4544 regsvr32.exe 4544 regsvr32.exe 4544 regsvr32.exe 4544 regsvr32.exe 4544 regsvr32.exe 4544 regsvr32.exe 4544 regsvr32.exe 4544 regsvr32.exe 4044 regsvr32.exe 4044 regsvr32.exe 4044 regsvr32.exe 4044 regsvr32.exe 4044 regsvr32.exe 4044 regsvr32.exe 4044 regsvr32.exe 4044 regsvr32.exe 4372 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dnplayer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dnplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dnplayer.exe -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3416 taskkill.exe 3772 taskkill.exe 4004 taskkill.exe 1208 taskkill.exe -
Processes:
dnplayer.exeiexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" dnplayer.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FF8D5C7B-3F00-11EF-A174-EE1473AF0696} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeLd9BoxSVC.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0002-4B81-0077-1DCB004571BA}\ = "IDHCPConfig" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\TypeLib\Version = "1.3" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\NumMethods\ = "17" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-394D-44D3-9EDB-AF2C4472C40A}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9641-4397-854A-040439D0114B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\ = "ICursorPositionChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\NumMethods Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\NumMethods\ = "35" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CurVer\ = "VirtualBox.VirtualBoxClient.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42DA-C94B-8AEC-21968E08355D}\TypeLib Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41}\ = "IRecordingSettings" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\TypeLib\Version = "1.3" Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-800A-40F8-87A6-170D02249A55}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6FA-430E-6020-6A505D086387}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-23d0-430a-a7ff-7ed7f05534bc} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07}\TypeLib\Version = "1.3" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\NumMethods\ = "17" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\TypeLib\Version = "1.3" Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3534-4239-B2DE-8E1535D94C0B}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1F8B-4692-ABB4-462429FAE5E9}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4f9c-b0d5-53054496dbe0} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods\ = "25" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\NumMethods\ = "13" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FEBE-4049-B476-1292A8E45B09} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-808E-11E9-B773-133D9330F849}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1A29-4A19-92CF-02285773F3B5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\ProgId regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7997-4595-A731-3A509DB604E5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\NumMethods\ = "18" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\NumMethods\ = "24" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-DAD4-4496-85CF-3F76BCB3B5FA}\ = "ISnapshot" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2354-4267-883F-2F417D216519} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\ = "IDHCPIndividualConfig" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods regsvr32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2924 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
LDPlayer9_ens_10040_ld.exeLDPlayer.exednrepairer.exe360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 3968 LDPlayer9_ens_10040_ld.exe 3968 LDPlayer9_ens_10040_ld.exe 3968 LDPlayer9_ens_10040_ld.exe 3968 LDPlayer9_ens_10040_ld.exe 3968 LDPlayer9_ens_10040_ld.exe 4516 LDPlayer.exe 4516 LDPlayer.exe 4516 LDPlayer.exe 4516 LDPlayer.exe 4516 LDPlayer.exe 4516 LDPlayer.exe 4516 LDPlayer.exe 4516 LDPlayer.exe 1568 dnrepairer.exe 1568 dnrepairer.exe 2128 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe 2128 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe 2128 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe 2128 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe 4604 powershell.exe 4604 powershell.exe 800 powershell.exe 800 powershell.exe 2312 powershell.exe 2312 powershell.exe 4516 LDPlayer.exe 4516 LDPlayer.exe 2420 msedge.exe 2420 msedge.exe 1060 msedge.exe 1060 msedge.exe 3968 LDPlayer9_ens_10040_ld.exe 3968 LDPlayer9_ens_10040_ld.exe 1572 msedge.exe 1572 msedge.exe 2732 msedge.exe 2732 msedge.exe 2640 msedge.exe 2640 msedge.exe 2348 msedge.exe 2348 msedge.exe 5612 msedge.exe 5612 msedge.exe 5284 msedge.exe 5284 msedge.exe 3356 msedge.exe 3356 msedge.exe 4908 msedge.exe 4908 msedge.exe 6140 identity_helper.exe 6140 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dnplayer.exepid process 4380 dnplayer.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid process 660 660 660 660 660 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 5284 msedge.exe 5284 msedge.exe 5284 msedge.exe 4908 msedge.exe 4908 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
LDPlayer9_ens_10040_ld.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exedescription pid process Token: SeDebugPrivilege 3968 LDPlayer9_ens_10040_ld.exe Token: SeShutdownPrivilege 3968 LDPlayer9_ens_10040_ld.exe Token: SeCreatePagefilePrivilege 3968 LDPlayer9_ens_10040_ld.exe Token: SeDebugPrivilege 3416 taskkill.exe Token: SeDebugPrivilege 3772 taskkill.exe Token: SeDebugPrivilege 4004 taskkill.exe Token: SeDebugPrivilege 1208 taskkill.exe Token: SeTakeOwnershipPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeTakeOwnershipPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeTakeOwnershipPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeTakeOwnershipPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeTakeOwnershipPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeTakeOwnershipPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeTakeOwnershipPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeTakeOwnershipPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe Token: SeDebugPrivilege 4516 LDPlayer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
LDPlayer9_ens_10040_ld.exemsedge.exemsedge.exednplayer.exemsedge.exepid process 3968 LDPlayer9_ens_10040_ld.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 4380 dnplayer.exe 2732 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exemsedge.exednplayer.exemsedge.exepid process 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 1060 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 2732 msedge.exe 4380 dnplayer.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4524 iexplore.exe 4524 iexplore.exe 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
LDPlayer9_ens_10040_ld.exeLDPlayer.exednrepairer.exenet.exedism.exedescription pid process target process PID 3968 wrote to memory of 3416 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 3416 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 3416 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 3772 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 3772 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 3772 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 4004 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 4004 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 4004 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 1208 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 1208 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 1208 3968 LDPlayer9_ens_10040_ld.exe taskkill.exe PID 3968 wrote to memory of 4516 3968 LDPlayer9_ens_10040_ld.exe LDPlayer.exe PID 3968 wrote to memory of 4516 3968 LDPlayer9_ens_10040_ld.exe LDPlayer.exe PID 3968 wrote to memory of 4516 3968 LDPlayer9_ens_10040_ld.exe LDPlayer.exe PID 4516 wrote to memory of 1568 4516 LDPlayer.exe dnrepairer.exe PID 4516 wrote to memory of 1568 4516 LDPlayer.exe dnrepairer.exe PID 4516 wrote to memory of 1568 4516 LDPlayer.exe dnrepairer.exe PID 1568 wrote to memory of 4488 1568 dnrepairer.exe net.exe PID 1568 wrote to memory of 4488 1568 dnrepairer.exe net.exe PID 1568 wrote to memory of 4488 1568 dnrepairer.exe net.exe PID 4488 wrote to memory of 1084 4488 net.exe net1.exe PID 4488 wrote to memory of 1084 4488 net.exe net1.exe PID 4488 wrote to memory of 1084 4488 net.exe net1.exe PID 1568 wrote to memory of 3164 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3164 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3164 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 4716 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 4716 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 4716 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 1312 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 1312 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 1312 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3660 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3660 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3660 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3760 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3760 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3760 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3200 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3200 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3200 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3292 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3292 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 3292 1568 dnrepairer.exe regsvr32.exe PID 1568 wrote to memory of 2016 1568 dnrepairer.exe takeown.exe PID 1568 wrote to memory of 2016 1568 dnrepairer.exe takeown.exe PID 1568 wrote to memory of 2016 1568 dnrepairer.exe takeown.exe PID 1568 wrote to memory of 3964 1568 dnrepairer.exe icacls.exe PID 1568 wrote to memory of 3964 1568 dnrepairer.exe icacls.exe PID 1568 wrote to memory of 3964 1568 dnrepairer.exe icacls.exe PID 1568 wrote to memory of 2384 1568 dnrepairer.exe takeown.exe PID 1568 wrote to memory of 2384 1568 dnrepairer.exe takeown.exe PID 1568 wrote to memory of 2384 1568 dnrepairer.exe takeown.exe PID 1568 wrote to memory of 3212 1568 dnrepairer.exe icacls.exe PID 1568 wrote to memory of 3212 1568 dnrepairer.exe icacls.exe PID 1568 wrote to memory of 3212 1568 dnrepairer.exe icacls.exe PID 1568 wrote to memory of 3396 1568 dnrepairer.exe dism.exe PID 1568 wrote to memory of 3396 1568 dnrepairer.exe dism.exe PID 1568 wrote to memory of 3396 1568 dnrepairer.exe dism.exe PID 3396 wrote to memory of 5020 3396 dism.exe dismhost.exe PID 3396 wrote to memory of 5020 3396 dism.exe dismhost.exe PID 3968 wrote to memory of 2128 3968 LDPlayer9_ens_10040_ld.exe 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe PID 3968 wrote to memory of 2128 3968 LDPlayer9_ens_10040_ld.exe 360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_10040_ld.exe"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_10040_ld.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnplayer.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3416 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayer.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayerex.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM bugreport.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\LDPlayer\LDPlayer9\LDPlayer.exe"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=10040 -language=en -path="C:\LDPlayer\LDPlayer9\"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\LDPlayer\LDPlayer9\dnrepairer.exe"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=9833163⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\net.exe"net" start cryptsvc4⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start cryptsvc5⤵PID:1084
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Softpub.dll /s4⤵
- Manipulates Digital Signatures
PID:3164 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Wintrust.dll /s4⤵
- Manipulates Digital Signatures
PID:4716 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Initpki.dll /s4⤵PID:1312
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" Initpki.dll /s4⤵PID:3660
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" dssenh.dll /s4⤵PID:3760
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" rsaenh.dll /s4⤵PID:3200
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" cryptdlg.dll /s4⤵
- Manipulates Digital Signatures
PID:3292 -
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2016 -
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3964 -
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2384 -
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3212 -
C:\Windows\SysWOW64\dism.exeC:\Windows\system32\dism.exe /Online /English /Get-Features4⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\2D975573-66FD-442C-AB03-E7B4FCFDFA12\dismhost.exeC:\Users\Admin\AppData\Local\Temp\2D975573-66FD-442C-AB03-E7B4FCFDFA12\dismhost.exe {2022A39C-5FB5-45F5-BA1C-0FB47AF89E11}5⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
PID:5020 -
C:\Windows\SysWOW64\sc.exesc query HvHost4⤵
- Launches sc.exe
PID:3856 -
C:\Windows\SysWOW64\sc.exesc query vmms4⤵
- Launches sc.exe
PID:4088 -
C:\Windows\SysWOW64\sc.exesc query vmcompute4⤵
- Launches sc.exe
PID:2832 -
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s4⤵
- Loads dropped DLL
PID:4784 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s4⤵
- Loads dropped DLL
PID:4544 -
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
PID:4044 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto4⤵
- Launches sc.exe
PID:2412 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" start Ld9BoxSup4⤵
- Launches sc.exe
PID:3964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
PID:800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312 -
C:\LDPlayer\LDPlayer9\driverconfig.exe"C:\LDPlayer\LDPlayer9\driverconfig.exe"3⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\takeown.exe"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4196 -
C:\Windows\SysWOW64\icacls.exe"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3112 -
C:\LDPlayer\LDPlayer9\360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe"C:\LDPlayer\LDPlayer9\360TS_Setup_Mini_WW.LDplayer.CPI202407_6.6.0.1060.exe" /s2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/ldplayer2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1060 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffa8c7946f8,0x7ffa8c794708,0x7ffa8c7947183⤵PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14722968295899741114,8550152009917375126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:23⤵PID:4360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14722968295899741114,8550152009917375126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14722968295899741114,8550152009917375126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 /prefetch:83⤵PID:3280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14722968295899741114,8550152009917375126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:13⤵PID:4648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14722968295899741114,8550152009917375126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:13⤵PID:1184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14722968295899741114,8550152009917375126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:13⤵PID:3784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2732 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffa8c7946f8,0x7ffa8c794708,0x7ffa8c7947183⤵PID:4916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,1385593354105017684,4405355058269640676,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:23⤵PID:1684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,1385593354105017684,4405355058269640676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,1385593354105017684,4405355058269640676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:83⤵PID:2104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1385593354105017684,4405355058269640676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:2172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1385593354105017684,4405355058269640676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵PID:1092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1385593354105017684,4405355058269640676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:13⤵PID:4400
-
C:\LDPlayer\LDPlayer9\dnplayer.exe"C:\LDPlayer\LDPlayer9\\dnplayer.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380 -
C:\Windows\SysWOW64\sc.exesc query HvHost3⤵
- Launches sc.exe
PID:3368 -
C:\Windows\SysWOW64\sc.exesc query vmms3⤵
- Launches sc.exe
PID:5036 -
C:\Windows\SysWOW64\sc.exesc query vmcompute3⤵
- Launches sc.exe
PID:4100 -
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb000000003⤵
- Executes dropped EXE
PID:5064 -
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-0000000000003⤵
- Executes dropped EXE
PID:2692 -
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-0000000000003⤵
- Executes dropped EXE
PID:4376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8c7946f8,0x7ffa8c794708,0x7ffa8c7947184⤵PID:3532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:24⤵PID:4924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:84⤵PID:1940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:14⤵PID:4972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:14⤵PID:1120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:14⤵PID:3332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:14⤵PID:4432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:14⤵PID:4740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:14⤵PID:5132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9568620053254283819,12395898103254474394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:14⤵PID:5720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5284 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8c7946f8,0x7ffa8c794708,0x7ffa8c7947184⤵PID:5300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,13250953576675983466,1597668697490532121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:24⤵PID:5604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,13250953576675983466,1597668697490532121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,13250953576675983466,1597668697490532121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:84⤵PID:5624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,13250953576675983466,1597668697490532121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:14⤵PID:5868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,13250953576675983466,1597668697490532121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:14⤵PID:5880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,13250953576675983466,1597668697490532121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:14⤵PID:4996
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1948
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4432
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c 0x5181⤵PID:3844
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4156
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Modifies registry class
PID:3636 -
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:2648 -
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:1884 -
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:3872 -
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:3160 -
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:4156
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1240
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1724
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4008
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5848
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\ResetStart.mht1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa8c7946f8,0x7ffa8c794708,0x7ffa8c7947182⤵PID:3476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13588756982475197822,4319427031807382211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:4808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13588756982475197822,4319427031807382211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3356 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13588756982475197822,4319427031807382211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:1216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13588756982475197822,4319427031807382211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:3332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13588756982475197822,4319427031807382211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:4740
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13588756982475197822,4319427031807382211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:82⤵PID:6040
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13588756982475197822,4319427031807382211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6140
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2988
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2556
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\ExpandSearch.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4524 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4524 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2080
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SetCompare.css1⤵
- Opens file in notepad (likely ransom note)
PID:2924
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5b15f727f589e6580f5f1662d42854612
SHA17fe2975f7f2fb5ae19e5ae47622ad8948d6fe517
SHA256f6d4853ce61da668bb9e1eae7f84f705bfc4f19329f2399e00c215f7a5e83422
SHA5129ed0c89982e37225316d24cb8ee42c8b40d83daff9cf7557ee44f845ba248b04dbf42b751ccde988dc236553251aaad18f98c3495ca8b04eff3cfa3cd139aee3
-
Filesize
947KB
MD550097ec217ce0ebb9b4caa09cd2cd73a
SHA18cd3018c4170072464fbcd7cba563df1fc2b884c
SHA2562a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058
-
Filesize
51KB
MD519dae6362eb73913f7947f719be52516
SHA1e157307ae8e87c9a6f31bc62ecdf32d70f8648d9
SHA256ae0eba69019294d03e11d68fea0ee72e77bfe156803f1b83bc8566a0a4d3584d
SHA512f5eb5771eb03f7f2067e32573397814ff3ef54dc7fae0abadad6bfdcafef6a4a5bf6f3ab9874c0530cb70cb995f6716ca8fa1cba175ed5a1d298c700f6e59ad2
-
Filesize
1.2MB
MD5330013a714c5dc0c561301adcccd8bc8
SHA1030b1d6ac68e64dec5cbb82a75938c6ce5588466
SHA256c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a
SHA5126afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1
-
Filesize
3.6MB
MD52061141f3c490b5b441eff06e816a6c2
SHA1d24166db06398c6e897ff662730d3d83391fdaaa
SHA2562f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0
SHA5126b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc
-
Filesize
41.9MB
MD54def56a3500d5a4dec3ff797a88c5751
SHA11a53c9c6f3d1e27ac8532e09f87990505c8090de
SHA256c09b51bdc9039b976a55eb8dc7c517d65d8d5f6eadda92d2de27ceee7845b0e4
SHA512a96322ca61f45875bfdb7b514ce1a95bbc1faba3fc0b7bc7c0af3f05d68c14e47fddff64e595f6bf053df7e1efad3e5f9e33f3bc2e09501c3c20de62864ae1d8
-
Filesize
5.0MB
MD5d4d2fd2ce9c5017b32fc054857227592
SHA17ee3b1127c892118cc98fb67b1d8a01748ca52d5
SHA256c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185
SHA512d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918
-
Filesize
17.4MB
MD593b877811441a5ae311762a7cb6fb1e1
SHA1339e033fd4fbb131c2d9b964354c68cd2cf18bd1
SHA256b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b
SHA5127f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4
-
Filesize
103KB
MD54acd5f0e312730f1d8b8805f3699c184
SHA167c957e102bf2b2a86c5708257bc32f91c006739
SHA25672336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA5129982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837
-
Filesize
652KB
MD5ad9d7cbdb4b19fb65960d69126e3ff68
SHA1dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7
-
Filesize
1.5MB
MD566df6f7b7a98ff750aade522c22d239a
SHA1f69464fe18ed03de597bb46482ae899f43c94617
SHA25691e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f
SHA51248d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e
-
Filesize
2.0MB
MD501c4246df55a5fff93d086bb56110d2b
SHA1e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA51239524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196
-
Filesize
442KB
MD52d40f6c6a4f88c8c2685ee25b53ec00d
SHA1faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA2561d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA5124e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779
-
Filesize
1.2MB
MD5ba46e6e1c5861617b4d97de00149b905
SHA14affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA2562eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6
-
Filesize
192KB
MD552c43baddd43be63fbfb398722f3b01d
SHA1be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA2568c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA51204cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28
-
Filesize
511KB
MD5e8fd6da54f056363b284608c3f6a832e
SHA132e88b82fd398568517ab03b33e9765b59c4946d
SHA256b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd
SHA5124f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b
-
Filesize
522KB
MD53e29914113ec4b968ba5eb1f6d194a0a
SHA1557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA51275078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43
-
Filesize
854KB
MD54ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA152693d4b5e0b55a929099b680348c3932f2c3c62
SHA256b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA51282e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6
-
Filesize
283KB
MD50054560df6c69d2067689433172088ef
SHA1a30042b77ebd7c704be0e986349030bcdb82857d
SHA25672553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0
-
Filesize
444KB
MD550260b0f19aaa7e37c4082fecef8ff41
SHA1ce672489b29baa7119881497ed5044b21ad8fe30
SHA256891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA5126f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d
-
Filesize
641B
MD5712a127b9517dcd246145dbca979c809
SHA15a4df70b792fcff9d8527723a8232d0994857109
SHA256a374737c24c3479e21d61018290a1cd08bf7fea6f67f45af8f6ad4296badf126
SHA512941956b13e2ad53d2d64a6d7d005f2d402f97838a94714aa6737b99cfa96614ecd0414c0dc2a934f3e357f6562c21daedec0240bca631e78d45a6f3d160f4877
-
Filesize
35.1MB
MD54d592fd525e977bf3d832cdb1482faa0
SHA1131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef
SHA256f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6
SHA512afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77
-
Filesize
152B
MD554f1b76300ce15e44e5cc1a3947f5ca9
SHA1c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7
SHA25643dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24
SHA512ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a
-
Filesize
152B
MD5c00b0d6e0f836dfa596c6df9d3b2f8f2
SHA169ad27d9b4502630728f98917f67307e9dd12a30
SHA256578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1
SHA5120e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da
-
Filesize
152B
MD5a870d1e22451fe178c351580fa9e31f4
SHA170ae09e0a1852c76122a2fc202b9ab60a14a2213
SHA25650a798dbef7ab0f49c686f3408d423d2e6d09f2b3440e3cfadec288b8fbf1512
SHA512ca5f8ff302c48d50dcf4bffddbe8155855875a61b72c3aabee4c54b24ab6bf1d558318d1278afe1103e9bcdd0605e409b69dc64ddadc426a2d5e6e27053958e6
-
Filesize
152B
MD5e6d055237cc5ac8b34e2616da0e1e391
SHA10ab1fe501cfaf1266be8ba01c79bf33468b9dfae
SHA25621de8724287101fa4f2d99127c971545025185122f35ff9ff6cc5bc11b885909
SHA51259b22aebe2d3979bc29a8ae34df813f9f12321a8cac855e6258e6b6965c53efbab75f2c6a531d5c3b844ddbffbafed7639d750592db716de7452ce05876e48d8
-
Filesize
152B
MD593d978de0b4283f57495b59545cf4360
SHA1a545b4f9bae3ac46a1fc8b0fbbecc9b6b79b3335
SHA25604cb42b49eb17c31d955cd51d2ddebf4d296779fe3a941d3334c7d8061104630
SHA512ec262d72d9d723cf6da8c72abf4e50da4b4e392e0397d61b271413db645a5483b1caa24fbd96c4478e06419eaff9aa15972dafaf92c4ccf88fd83d1fb8975b5d
-
Filesize
152B
MD56c470ba00e3efb35564bdec586bd0ce6
SHA1c99805dd6fc0364973e5dedde515a0eec0c02941
SHA25681862c6a1bd9b9444af33f8d939a87c6a6696cd9f003233fd8c9845474546aba
SHA51287b9ba52dbd9276a727111d8fb772b1ce50a24c8031ead9ec4173b42ced40c9ea7ed776aeb4ffc7670b0b851f6d38164c9753094cc8571310f9e0ea7f864e37f
-
Filesize
152B
MD58221db154cadc89b8bb9ffc9daca0267
SHA13ba5fd3503c814dc52f50db84d39fce24c444a09
SHA25663b6ef9f3c282ccb2460bbdea3092475cab69aaef95d7a3731170ee764257b4e
SHA5126a1dc678d12fc40899714619973bf103e7d1cd09d24743383e50ded234bc53396282b002ead4114e3c0373ba987f44316c806d184cf31addc7d4c01ff96eae2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD58ff2b0c5766860494f25f20d6462eaec
SHA1e65ce5712d57d90afb7b2acd2f222341ddf9c991
SHA256097d4b1568423b5e61ba8816680385b924c5e9babe4e16b528092d680b6b077d
SHA512b5abd868c6204f0df2a39d27769d8b050af80d7a79ec39d83ee3bf8c0570ad927d0f41dd86b7389cbb9b69cea7b2a6f9a8482c4dad15187202dd8d12ffb9e968
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD51fb309a5ddffe96cff47815de152509d
SHA12f505e698a331efc677d0d014be1542fb61fc522
SHA25675d8074b7ce228f3908b541d25b6a42c06620a5c1b66383954980599f78ae24c
SHA5122ee082a574b42898550471e073353bff4e0552016bc314c373c316331cc26b392657a810e540d2ae1c20de8732dbb5c45e4360e5f527adba89fa6a9b56570c1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5d09eead1a1a3ac6e96c43ea35d9bdde2
SHA1fcefac9f2356a622ec7eccaca59f426192c13550
SHA256353020d194d475c4280835f1001da4e71734626d4caea23ae20fb4b63505bc5f
SHA51286c31d99d19ba35223c546a24be9e6150547b86dd5ba9cbd3f00fa853ce6484bf17ddca2eee9f45f25fc1c212e64f1d60341aacf058b6f1ead8cddf93822ea83
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
347B
MD5c346bce84e2c74d66bfc588bfd40d413
SHA1ba8a0891b5ac2d0258fb4a0e9514d58c0bcf44c4
SHA25688bed144e0a4376471123897ea420c558244dcd3a356c8177c642bd4749bbec8
SHA512f3d2505be0ec4d2013d7118a62398e385eef462aa6a8066a3d09e32ad0bc3483440fa2c39965324abcc111ed2c6e953552571330261ecaa051346bfd11529b21
-
Filesize
692B
MD5be3d8f1ec7edeebd3db2ffc0174533c2
SHA1359b8e4b6e733882a357be607c58c0c74f957671
SHA2563e3bb1a97b2fc5f98dbf70091e75748bb25fe4436606084d9787b06694641f12
SHA512e6d69f4307b1d0db500f47be5eff1edf8be8d0c8d46fd0e93aca7006ffbff9dfba882ab2e98d03f073f3589b8ebaf2838c3ce7f160a14763de4890f7da2c121f
-
Filesize
10KB
MD58bcfb650fc47d58a2bb0e6ed7aaeeffd
SHA1ce4814b15bf3bf8f08c94a6c24d17a98931e6581
SHA2565a0ff08058ebc897ff39c0bc7f2dd6b534e1589d24fd68f82642423620a51329
SHA512cc4dcba0741a1985d865982ab0cd7607f24627147bb5ac17a5712ed86d59f53c390da4022946fbc44cbb4c93bddb4f2108ca05de89d45715cbab414e6eb46736
-
Filesize
10KB
MD52b2e1e4fd646913e803f0cb8c9058384
SHA14f2453f66f704db756063fadd377ac59dcce5ec6
SHA256fb4dba5ed2dd9d44b7997f6e4f8d9ca017ae9c753594067ec901c01c43790163
SHA512784707132582e503e61a5f9bf9bfcd1e10aa2ae004cae147940849a95ad8da174cce2749604d478b8ae894abf5b6ea9d07373640fca700f2832bd82d416f4809
-
Filesize
10KB
MD5b3bb9bcddf64376e2958a84a30488484
SHA1eded2a9a9ad75fa9dc6f66fe5031187f213bd2a1
SHA25626fec659cdb62093180eabe0ea87d3ef4fca63c48ad670f871742639b1b5735b
SHA512d6310c57b2c91ed8a10c9fc5e76f53d169f0cae98617f34b8015d9d5456d81bcd3448325b723e7611cb851c40493b3d1c4c1bf03a2bad67ab086f75524f06a27
-
Filesize
6KB
MD5dcdc3b70d202acc71ce6e6d6f97411ae
SHA167664e1a18adb22dff9b403f42cb1c97b6fd733f
SHA256c1bd63f4cb3724af6d778e997332591f4447074a475078dc188c1aa9235d91b0
SHA512d89023fe43d0c1810baf67262fc5b97d1ec78785842ae4966bdd4854d7515c22009623abf2347195f615865c981f23aa5c13177c52284d070d5716ded062abf6
-
Filesize
6KB
MD533df20483d2e06698910a4389c1c94bc
SHA16de8e1681d032f7dacfd7555ea8a6d0ba52d1a9c
SHA256fca05bd08715ea937e331a5d5b202277d4f115904355fa61f4aa8936b608dcae
SHA512b7db03d197142014646e4ae112d8be7e01d277e2f133b771b1c2c4b7bb7f10b4776f1cfbc359b6677b810dccd588387f3c1a17f34d866a757dff6e80123361ae
-
Filesize
6KB
MD52aa343f005bba7604668b497e2ece4ad
SHA1af26b50fc0b88dfa74cd3e07ae1dd3f9f496c3eb
SHA256740dfef3d19382921d2c8733561e3e0d237e1e17ca2938d6ea97ac680445b945
SHA512d329a2d4852040e10fd61bc766f0c1905b1fe99f708209a5f7f39198c012882dca11fc6c616efea2da6b7856a210780f065b05412ab90e8ac6017a345da1e130
-
Filesize
7KB
MD5bd40deffabd39ada3feb231178c06a2e
SHA113d541b20b613fa7f32f009401babdd1def07b28
SHA2566f35a79cf8505ef148d63b706c8666ac06f6a2a4f63ea5d87f374b2dc128a887
SHA51215d32eae6f29d6909ef48c3e5939e4625f1c3f20a80176f333d13bdce32ce441db81caa5469e803a4582da3ada5adb34226c7e71daaf7988777e5f4a24dd1828
-
Filesize
11KB
MD5bee98ec8e7339c1644cea78beab801a5
SHA1599c24875b0221dd585dee7e84f6edb1b734dd46
SHA25636be1366e2af62a75d6de208fef5ca8692657e6e99daccad00ceb15a9d8faf47
SHA51296377e1beef18ae064fadcfa88fe67e448d96cc16d2a7148423b6cfeb1cd1cf202dcaef82b9641b2b6915454b944ff3a20bf25040475625c46ec42e41e986e67
-
Filesize
12KB
MD564a08b240e3fc246008f89aa0421989a
SHA1dc517c0bfa2d125c34bf1e288dd56ce389a270ea
SHA256e598e976879abd728f6003631d4518eff58822e7f68bd3382a6c2c7de7df21a2
SHA5128db79fe972713656833baad566fe8cda1a42ed5d6932e630824945d86a62d654f375db1ebc5eac8a2593268cf9dcb6d7f4bf93c90692191f61166e2f9776200e
-
Filesize
12KB
MD56a25ef2a28754411bbf0c9364ef42095
SHA13991c0d928936e27d58b3df1644ab31d8b6ba7ac
SHA256a514583b846ff2b2a01072e089b0e9c1bc5606987088c83e4f8f107140112754
SHA512e8f39630e6741a1f8a1ee14d6168dcc8890173cddc540f2984966cb4693035b015fcb4ea95ebafdac34901fa3655ce26ed7167b63d322eb5414ddd7e7ab566a7
-
Filesize
12KB
MD57af792eaadc90f44f8ed0689d7b5e0d8
SHA11f4e8c3f45fc5b2ac17dcb15ef6902ddc8a2239e
SHA256049da68d9e3e464366c1e3b4447f5bb5508cfa086d92cbf5868cdfd8c6be7c97
SHA51211845fe937d2c626ce06357156e3533e05427aecf9090d9ee3066f1ad75c835dfbcbe99bc12a4b7fe8d630714a223f2fff49ac0b8a1d14fec3092c32af3c77ec
-
Filesize
7KB
MD58482c504c6dc38b019650abeb0028e48
SHA191ae5e1426b58abd55c3a2fa8ffa0fe2ce84f5bb
SHA256891104bf73cbbd83de078b4c22c901ea76382ee3c7d2d7b01349f489ff9d8b7e
SHA5120889642285a6ffc2a252a0ad15b4324a689869604a1b316cedc5d0ef05785a36bf761f5dd6ccc14f5f0eaab6a3475c96371919d15c76c0844b9658273d6828bd
-
Filesize
12KB
MD557d2f8071b089099259f3fe73c1a15b7
SHA17109fcba830d4b4c86a50f5824018ae0c9771480
SHA256ec432de2c1ed986c3ec15f74c094eeb9ab2b744623fcd601d2cc28aa8994357d
SHA51231b16da399ea840af096c35704f7275897ab508a8dbc826a34fb05beb1fc3cdea36cb1c098c8ca6df36f8603aaee47a753238372aa4c597ca224f6f52ef29914
-
Filesize
538B
MD5c2b0fa0d865e0fdd7e076d59f06b03a3
SHA1e3a598148410d8805a1626332552f5b78aaddba3
SHA256355d823cbf933dde881cf9b1c019864991ad71d4a68305fc9ca22713083e7d8c
SHA512f220412b1b1731cc996e8fd6eb4116d069dc87f01819d74a52060b0d60cdfb48aa3413304d88991fd30a8ba4c26451af036db9f63888ad982c8d3b5be5869d59
-
Filesize
2KB
MD50f36eea9a02aed3e77a209730f9312bb
SHA130ffb68be81280643e71636c9d96876829781e03
SHA2565aa2aac1153469dbf27710b955f1f22d6578c049ab0a8b0d1ad4fad509982cb1
SHA51203c882c1d199377e0de5a2e54c239436b589bccd1631d63b96d6b79c0c50581893a649d202d1afa3f8773c8296ac0c56416697e3cf7ff1f548b522e6fe6a2dc3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c2085d6f-580c-465a-bd31-1e768ad41dba.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
11KB
MD59637b1c2a9902c4f3e623fafe80a1846
SHA1b994d346b3be4e5a35237ab4e61448d219cb1fc3
SHA256edb6700c4c0217358c3dde0fd25dccba1bc3529f85de3675d5ae439d5156e9c6
SHA512d8b5e514677a7d14a6a5238dde1063bc986ab23267e9309ca165829ddc0233273afc695296fc519f04d7bcb61cc2240579ba54e3815dfd61e76ddb92075026ab
-
Filesize
10KB
MD5bd3480ab4bc7d5a82a0910b1df402951
SHA18eb079b0c4e6dbc107da46a8e571fd390ca9434b
SHA256c6e45bcd928d82a57e8bce630aefd08a8aede5ff6598c3d02b72e1b0e3f6b687
SHA512647f4f3860bca7a1de12592ed0f74a9708609c26388cdcc2b694c6262a4b531767148aec10e88ffd6ba691b61c9f3f5a529f2971040a68511ff72b07d39eb7e2
-
Filesize
10KB
MD59a45c0f9778dbb8e1d52d7609b409b72
SHA195edcf3ee01e2dac267a0fa114b99dd50ceb1167
SHA25642f0a7eb9f3081db83b84f00299d53dcaeafd674c302556ed0467c8968461026
SHA512882c9219f4cc4890e59200700512abc7d4dc87cb1ceed4bc1746f96f457d6abf366d5827cadb1f5d5a92afe3f121c0d56b5f8507d9c6bc905f48965c2e018f2c
-
Filesize
10KB
MD54a2be72a22a7e9505c09dfd518e30626
SHA14e23a816d2ffe5c8b67f385c8a21d6ccf53fb8c6
SHA256a3240ff1f19d3c4c05ecc2b6d853cda50a75c1e92961d950763f2f7bb2788c66
SHA51254dbf2c0419b8b5ede0dc4e7eec2af50da5d830e2dd080faa79cf7c6812919b78d08908d116da6fad6af33a254aa2876523f840d2005ecd14e4be5c8213552b4
-
Filesize
11KB
MD530b0ca34e0315df3e3165b47cc2d6c32
SHA15516eb98205fd50e055424cccbf2394c7a8fd985
SHA2565230b83607a917509968e282f6ee3e9dd60b4fea7a4e6d58f09db75ae53f4681
SHA512ca9043b323d3d7fa7db97d1a68b488a610a289a90900b0dee429036e2c4114253569a4fee00e2e6bcda3164f46dfbd879c0a0a4ecc08db6917c0c4756a4cf07c
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize654B
MD5df0245a8df2cb33ce6f3a835ab040fe9
SHA1521b113070561b621800dca26ea0e54598bdc80d
SHA256d9450f610b9f8aa9d7013b9e1a7abd38cd6f3e3440a4fecdcf1ec0e3e0f781b9
SHA512a15fe976db677a83a4feed99dc2c4024ed6d65c36de640573e75b5006b1739d5932a082a749d79d8c61ce1f91bce8bc91c5f0873c8a3ae8900c358baff3f03b8
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize830B
MD559f3348c9b330622912f0c6b6bd4b009
SHA1c1bd6e70c69f47974ff3318083e6bca3d8cabe5a
SHA256fac3db562c43351f670a48c50f7258c6edb852ccb4e0c434bc9af3f8ae28fa24
SHA5121525a779ae950502ac8c16eb197b8a3c5fb46a821e3a67189841cca2c561547f78c4e9d1ca5d6dacc99bf933038f52c0b0ca1e9ec56701d08fd97b4034c04d99
-
Filesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
Filesize
112KB
MD594dc379aa020d365ea5a32c4fab7f6a3
SHA17270573fd7df3f3c996a772f85915e5982ad30a1
SHA256dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907
SHA512998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca
-
Filesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
Filesize
402KB
MD5b1f793773dc727b4af1648d6d61f5602
SHA1be7ed4e121c39989f2fb343558171ef8b5f7af68
SHA256af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e
SHA51266a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed
-
Filesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
Filesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
Filesize
415KB
MD5ea8488990b95ce4ef6b4e210e0d963b2
SHA1cd8bf723aa9690b8ca9a0215321e8148626a27d1
SHA25604f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98
SHA51256562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b
-
Filesize
619KB
MD5df785c5e4aacaee3bd16642d91492815
SHA1286330d2ab07512e1f636b90613afcd6529ada1e
SHA25656cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271
SHA5123566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745
-
Filesize
59KB
MD54f3250ecb7a170a5eb18295aa768702d
SHA170eb14976ddab023f85bc778621ade1d4b5f4d9d
SHA256a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461
SHA512e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569
-
Filesize
149KB
MD5ef7e2760c0a24453fc78359aea3d7869
SHA10ea67f1fd29df2615da43e023e86046e8e46e2e1
SHA256d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a
SHA512be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f
-
Filesize
59KB
MD5120f0a2022f423fc9aadb630250f52c4
SHA1826df2b752c4f1bba60a77e2b2cf908dd01d3cf7
SHA2565425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0
SHA51223e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764
-
Filesize
218KB
MD535e989a1df828378baa340f4e0b2dfcb
SHA159ecc73a0b3f55e43dace3b05ff339f24ec2c406
SHA256874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d
SHA512c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a
-
Filesize
296KB
MD5510e132215cef8d09be40402f355879b
SHA1cae8659f2d3fd54eb321a8f690267ba93d56c6f1
SHA2561bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52
SHA5122f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0
-
Filesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
Filesize
207KB
MD59a760ddc9fdca758501faf7e6d9ec368
SHA15d395ad119ceb41b776690f9085f508eaaddb263
SHA2567ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f
SHA51259d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139
-
Filesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
Filesize
182KB
MD59cd7292cca75d278387d2bdfb940003c
SHA1bab579889ed3ac9cb0f124842c3e495cb2ec92ac
SHA256b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f
SHA512ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d
-
Filesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
Filesize
22KB
MD5bd0dd9c5a602cb0ad7eabc16b3c1abfc
SHA1cede6e6a55d972c22da4bc9e0389759690e6b37f
SHA2568af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3
SHA51286351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c
-
Filesize
8KB
MD58833761572f0964bdc1bea6e1667f458
SHA1166260a12c3399a9aa298932862569756b4ecc45
SHA256b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5
SHA5122a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8
-
Filesize
53KB
MD56c51a3187d2464c48cc8550b141e25c5
SHA1a42e5ae0a3090b5ab4376058e506b111405d5508
SHA256d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199
SHA51287a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba
-
Filesize
7KB
MD57a15f6e845f0679de593c5896fe171f9
SHA10c923dfaffb56b56cba0c28a4eacb66b1b91a1f4
SHA256f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419
SHA5125a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca
-
Filesize
17KB
MD5b7252234aa43b7295bb62336adc1b85c
SHA1b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f
SHA25673709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c
SHA51288241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358
-
Filesize
9KB
MD5dc826a9cb121e2142b670d0b10022e22
SHA1b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9
SHA256ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a
SHA512038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b
-
Filesize
2KB
MD522b4a3a1ec3b6d7aa3bc61d0812dc85f
SHA197ae3504a29eb555632d124022d8406fc5b6f662
SHA256c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105
SHA5129329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c
-
C:\Users\Admin\AppData\Local\Temp\2D975573-66FD-442C-AB03-E7B4FCFDFA12\en-US\GenericProvider.dll.mui
Filesize5KB
MD5d6b02daf9583f640269b4d8b8496a5dd
SHA1e3bc2acd8e6a73b6530bc201902ab714e34b3182
SHA2569102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0
SHA512189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50
-
Filesize
2KB
MD5d4b67a347900e29392613b5d86fe4ac2
SHA1fb84756d11bfd638c4b49268b96d0007b26ba2fb
SHA2564ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5
SHA512af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662
-
C:\Users\Admin\AppData\Local\Temp\2D975573-66FD-442C-AB03-E7B4FCFDFA12\en-US\ImagingProvider.dll.mui
Filesize18KB
MD5f2e2ba029f26341158420f3c4db9a68f
SHA11dee9d3dddb41460995ad8913ad701546be1e59d
SHA25632d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3
SHA5123d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e
-
Filesize
27KB
MD52eb303db5753eb7a6bb3ab773eeabdcb
SHA144c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4
SHA256aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f
SHA512df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427
-
Filesize
6KB
MD58933c8d708e5acf5a458824b19fd97da
SHA1de55756ddbeebc5ad9d3ce950acba5d2fb312331
SHA2566e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6
SHA512ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f
-
Filesize
15KB
MD5c5e60ee2d8534f57fddb81ffce297763
SHA178e6b0e03c8bf5802b3ef429b105d7ae3092a8f2
SHA2561ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145
SHA512ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc
-
Filesize
3KB
MD50633e0fccd477d9b22de4dd5a84abe53
SHA1e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9
SHA256b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706
SHA512e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3
-
C:\Users\Admin\AppData\Local\Temp\2D975573-66FD-442C-AB03-E7B4FCFDFA12\en-US\OfflineSetupProvider.dll.mui
Filesize2KB
MD5015271d46ab128a854a4e9d214ab8a43
SHA12569deff96fb5ad6db924cee2e08a998ddc80b2a
SHA256692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec
SHA5126ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438
-
Filesize
2KB
MD57d06108999cc83eb3a23eadcebb547a5
SHA1200866d87a490d17f6f8b17b26225afeb6d39446
SHA256cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311
SHA5129f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002
-
Filesize
79KB
MD5d9cb0b4a66458d85470ccf9b3575c0e7
SHA11572092be5489725cffbabe2f59eba094ee1d8a1
SHA2566ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05
SHA51294937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
73KB
MD5b001f88504c8c9973e9a3b4dc03e6d1a
SHA1a54b3046a70a4f2c792ad6a382b637b599f1dc48
SHA2568ee4cbed114a588e934b5043f95c9c06f40468c2300fa0d1d938d16c1d46a8fd
SHA512390e53be657fc35fb2e9f41b76b3b07c161a860d72445a4b1425ca973a6d8c0f32f6de6844719c6e9813e8d949ab65263642dea01c800a00285bd45595bed4d8
-
Filesize
223KB
MD59e37e74836982b663a1be64be4efc5bf
SHA1dc626e6300a2cb495d2bd3cf2850d67244709fd9
SHA25655c81cb57c6dc4871002e8647402540d5b33fe8e08fb2974dec14b86a96095b6
SHA512b8aa745115521ee32f3f64ad8769fb224a246ff153712d55a787afe1a82ff68a5ecb4c5a0562c26d095c7d9fa0e5d35e5204490caec9a820a691a94198572fa7
-
Filesize
244KB
MD500b1d0d40995e4e43d1d8f901694c722
SHA16bae5416765be2c42f19b9a381fe39060beb0389
SHA256f311ca4adb857e4ca5ff450149d7f482e56d6d36e067d450c1d0f20cd31df986
SHA51254f232a5b074bab4dab94dcfc1e7e4e8edcb0c02640b782996d66adea16aec9ea40ffcc5f6f52ac6f19ef7317128c8ef06452926127fb8effc4a4d26bcad68a4