guerrilla | hxxps://www[.]ldplayer[.]net

Analysis

max time kernel
146s
max time network
336s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.ldplayer.net

Score

10^/10

guerrilla discovery execution exploit infostealer persistence privilege_escalation rat trojan

Malware Config

Signatures

Guerrilla
Guerrilla is an Android malware used by the Lemon Group threat actor.
trojan infostealer rat guerrilla

Guerrilla payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00070000000236f6-868.dat	family_guerrilla
behavioral1/files/0x00070000000236f6-866.dat	family_guerrilla
behavioral1/files/0x00070000000236f6-872.dat	family_guerrilla
behavioral1/files/0x00070000000236f6-869.dat	family_guerrilla

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLPUTSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Decode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Encode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
6124	takeown.exe
3540	icacls.exe
1428	takeown.exe
5292	icacls.exe
5792	takeown.exe
5988	icacls.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
5192	LDPlayer9_ens_1252_ld.exe
3720	LDPlayer9_ens_1252_ld.exe
5956	LDPlayer9_ens_1252_ld.exe
6276	LDPlayer9_ens_1252_ld.exe
6456	LDPlayer.exe
4948	dnrepairer.exe
6172	dismhost.exe
5684	Ld9BoxSVC.exe

Loads dropped DLL 64 IoCs

pid	Process
4948	dnrepairer.exe
4948	dnrepairer.exe
4948	dnrepairer.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
6172	dismhost.exe
5684	Ld9BoxSVC.exe
5684	Ld9BoxSVC.exe
5684	Ld9BoxSVC.exe
5684	Ld9BoxSVC.exe
5684	Ld9BoxSVC.exe
5684	Ld9BoxSVC.exe
5684	Ld9BoxSVC.exe
5684	Ld9BoxSVC.exe
5684	Ld9BoxSVC.exe
5460	regsvr32.exe
5460	regsvr32.exe
5460	regsvr32.exe
5460	regsvr32.exe
5460	regsvr32.exe
5460	regsvr32.exe
5460	regsvr32.exe
5460	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
6100	regsvr32.exe
5496	regsvr32.exe
5496	regsvr32.exe
5496	regsvr32.exe
5496	regsvr32.exe
5496	regsvr32.exe
5496	regsvr32.exe
5496	regsvr32.exe
5496	regsvr32.exe
5532	regsvr32.exe
5532	regsvr32.exe
5532	regsvr32.exe
5532	regsvr32.exe
5532	regsvr32.exe
5532	regsvr32.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1428	takeown.exe
5292	icacls.exe
5792	takeown.exe
5988	icacls.exe
6124	takeown.exe
3540	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\x86\ucrtbase.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libOpenglRender2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Uninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstAnimate.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxRT-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxC.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMMPreload.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-process-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libssl-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qoffscreen.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Gui.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDTrace.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestPropSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCpuReport.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxStubBld.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5OpenGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\UICommon.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuth.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxManage.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5256	sc.exe
5132	sc.exe
4720	sc.exe
4368	sc.exe
5688	sc.exe
5300	sc.exe
488	sc.exe
5220	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_1252_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_1252_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_1252_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_1252_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7997-4595-A731-3A509DB604E5}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ = "IGuestDnDTarget"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}\ = "IUSBDeviceFilter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\ = "ICPUExecutionCapChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\ = "ICPUExecutionCapChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC}\ = "INATNetworkPortForwardEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\VersionIndependentProgID\ = "VirtualBox.Session"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E67-4144-BF34-41C38E8B4CC7}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\ = "INetworkAdapter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\ = "IVirtualBox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E64A-4908-804E-371CAD23A756}\ = "IMouseCapabilityChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E87-11E9-8AF2-576E84223953}\ = "IBooleanFormValue"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-32E7-4F6C-85EE-422304C71B90}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\ProgId	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6679-422A-B629-51B06B0C6D93}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\NumMethods\ = "19"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\NumMethods\ = "15"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}\NumMethods\ = "34"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-42DA-C94B-8AEC-21968E08355D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\ = "ISnapshotTakenEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7708-444B-9EEF-C116CE423D39}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ = "IShowWindowEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\NumMethods\ = "22"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\NumMethods\ = "28"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC}\ = "INATEngine"	regsvr32.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 227034.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3780	msedge.exe
3780	msedge.exe
4084	msedge.exe
4084	msedge.exe
1592	identity_helper.exe
1592	identity_helper.exe
5552	msedge.exe
5552	msedge.exe
5192	LDPlayer9_ens_1252_ld.exe
5192	LDPlayer9_ens_1252_ld.exe
6456	LDPlayer.exe
6456	LDPlayer.exe
6456	LDPlayer.exe
6456	LDPlayer.exe
6456	LDPlayer.exe
6456	LDPlayer.exe
6456	LDPlayer.exe
6456	LDPlayer.exe
4948	dnrepairer.exe
4948	dnrepairer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe
Token: SeDebugPrivilege	6456	LDPlayer.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5192	LDPlayer9_ens_1252_ld.exe
3720	LDPlayer9_ens_1252_ld.exe
5956	LDPlayer9_ens_1252_ld.exe
6276	LDPlayer9_ens_1252_ld.exe
6456	LDPlayer.exe
4948	dnrepairer.exe
5684	Ld9BoxSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 3748	4084	msedge.exe	85
PID 4084 wrote to memory of 3748	4084	msedge.exe	85
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 1400	4084	msedge.exe	86
PID 4084 wrote to memory of 3780	4084	msedge.exe	87
PID 4084 wrote to memory of 3780	4084	msedge.exe	87
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88
PID 4084 wrote to memory of 1920	4084	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc72146f8,0x7ffcc7214708,0x7ffcc7214718
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12586706398898033831,2067041620916202785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5552
- C:\Users\Admin\Downloads\LDPlayer9_ens_1252_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_1252_ld.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5192
- - C:\LDPlayer\LDPlayer9\LDPlayer.exe
    "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1252 -language=en -path="C:\LDPlayer\LDPlayer9\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6456
  - - C:\LDPlayer\LDPlayer9\dnrepairer.exe
      "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=524784
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4948
    - - C:\Windows\SysWOW64\net.exe
        
        "net" start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Softpub.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5400
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Wintrust.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5424
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" dssenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" rsaenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" cryptdlg.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5712
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1428
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5292
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5792
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5988
    - - C:\Windows\SysWOW64\dism.exe
        
        C:\Windows\system32\dism.exe /Online /English /Get-Features
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\1888582A-E0C4-441D-A526-B75DA23134EA\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\1888582A-E0C4-441D-A526-B75DA23134EA\dismhost.exe {9FC9218F-E4AA-4D05-A9A9-22CB3853B716}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6172
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5220
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5256
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmcompute
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5132
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5684
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
        5⤵
        Loads dropped DLL
        
        PID:5460
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:6100
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5496
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5532
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
        5⤵
        Launches sc.exe
        
        PID:4720
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" start Ld9BoxSup
        5⤵
        Launches sc.exe
        
        PID:4368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        
        PID:6464
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        
        PID:4112
  - - C:\LDPlayer\LDPlayer9\driverconfig.exe
      "C:\LDPlayer\LDPlayer9\driverconfig.exe"
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6124
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3540
- C:\Users\Admin\Downloads\LDPlayer9_ens_1252_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_1252_ld.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3720
- C:\Users\Admin\Downloads\LDPlayer9_ens_1252_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_1252_ld.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5956
- C:\Users\Admin\Downloads\LDPlayer9_ens_1252_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_1252_ld.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\dnplayer.exe"
1⤵
PID:6944
- C:\Windows\SysWOW64\sc.exe
  sc query HvHost
  2⤵
  - Launches sc.exe
  PID:5688
- C:\Windows\SysWOW64\sc.exe
  sc query vmms
  2⤵
  - Launches sc.exe
  PID:5300
- C:\Windows\SysWOW64\sc.exe
  sc query vmcompute
  2⤵
  - Launches sc.exe
  PID:488
- C:\Program Files\ldplayer9box\vbox-img.exe
  "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
  2⤵
  PID:3312
- C:\Program Files\ldplayer9box\vbox-img.exe
  "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
  2⤵
  PID:5376
- C:\Program Files\ldplayer9box\vbox-img.exe
  "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
  2⤵
  PID:6416
- C:\LDPlayer\LDPlayer9\vmware-vdiskmanager.exe
  "C:\LDPlayer\LDPlayer9\vmware-vdiskmanager.exe" -R C:\LDPlayer\LDPlayer9\system.vmdk
  2⤵
  PID:7052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
  2⤵
  PID:6360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc72146f8,0x7ffcc7214708,0x7ffcc7214718
    3⤵
    PID:6184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:3872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
    3⤵
    PID:7124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
    3⤵
    PID:3744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
    3⤵
    PID:6292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
    3⤵
    PID:3200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
    3⤵
    PID:6756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
    3⤵
    PID:6400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
    3⤵
    PID:6152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
    3⤵
    PID:4060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14056547146382171963,16285577594560106446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
    3⤵
    PID:800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x514
1⤵
PID:4252

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
PID:5488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
c1aaecd89c6d61a1b0e50549e70926e0

SHA1
ab060b1f91e52ff37fe8dfb1bfdd0c0d3e34b75a

SHA256
e98725ce91129071a2215f818aa152ea48ab36367356d50b2586265644076519

SHA512
258f3ed8bd5e99f345d9ee7c12ec1f2b6ca4c399af7bb9197a77c44a9d859508b657cd491142a0b0c961c7b0067ff537bfa451e0e6a3639f7c08b3259d49155e

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.2MB

MD5
6ca6b280f663ae36cba09380da45732a

SHA1
ba8a8236248405e079b70e586268187f75f67191

SHA256
acb586bb385c35ae37ce1727d0f032d54a472e521e9947197bd7c0bf023fc394

SHA512
aeda05f386920b897a03f8429727a7cdd02817e4ab6c6de51b0b25b01a1c0e62cd772e40f4c957c3cfd1ba06c499217c398e5b8ca35e076d8e739ee60678d37c

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.6MB

MD5
22ecb3a1881e87d1aac0b5eebc344e3b

SHA1
d3838c6afde16a5142886814d1c257f5b6f32372

SHA256
d538fce490ee03ab69d3f7362172282a311d6bf7037f2fa156fa37a5dbfe3185

SHA512
355b55f3aebc40a4ca0ba4bb7492aeae2ab9e8838e2b4d7212d6f11c0db5db3240244a8fa434791a37b8d6c130df7986f3e265441fac29628a56f962950f4f37

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
e7e90b0a5ca7e0c80d7baa3f18e3e9f0

SHA1
167a7f8a8028ffdc38aa5e2da68244c774426403

SHA256
8df63a6dcdb991f40dccdf1dcd0008b35a33ba4bf67a108dca016610543d730f

SHA512
1eb0a3409337c5460046d3138155e6924dc3fa7abff6f05d9e976ce43d7c66928026f814d19c3eca68f89c040e9bf73f70df4cfa7186716d55607421a5f817ff

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.0MB

MD5
85e3c7e40ab9e6c388340e47f7929bd0

SHA1
6f182153ede12b5886293d9cf44f2fe2646598a1

SHA256
fcc47f1584ba87e2cf2c689072c27d03a901e171c01843cc9451a977b1a1805b

SHA512
95898b4014cbddbf38a9edc2971c6df8d252bb8b51ec62282a8f6819cc0b69b5a19fd27a0123e1360e15a006fefda8fb49600c84b97e1b9f480a753e4562c498

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1044.1MB

MD5
12c87b83d73052b9c9eaefa9302532b6

SHA1
0235a5c99ceb45e29041c705cc2b050690a025d5

SHA256
9fa7497cb22b9865326c756d30956adf8133df5bf678130cffcb8b7fa0b043ec

SHA512
5ad5ae279e31e4cffebf9f0d4eabad71400f9ad959aa6b0ba1b8202a3c49a1812ae1b74d07e61d8581950c74e2e7e3853d3df0c1e97616a7cd12c5e8e652279f

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1038.3MB

MD5
5f8075202c684dc7e6d4ba128b211af2

SHA1
f345c4c7062ccc9cd5490694c89a2b954fb90fec

SHA256
8427564e66e606ea67a47e2e1173110b5b607847b8fb7f8f6cc492a2e6ee4834

SHA512
b5574f77042759ec955e57149e20f5c1aaf4aa6487629d1915fd26b081c4c511b54c772c82a868aa8b0e7caace2bca28572833fa4edb242845f3654776559064

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1205.5MB

MD5
b7e2d0563213020dcc9013dbb0569b58

SHA1
44b79974ac9728be64495d73215ede32cffe8ead

SHA256
1ee4953fbd7053c77c1e294cee8bd9b389914e7995c476a8fe98cb680dca4716

SHA512
7b2ee68b61402fd16b9b27946f28dc18e8278bbf64ad3613342609a665c321348ae9b9ef3356224b575aeca912b03628c6e096f1b7ce15470ed915a01357737c

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1043.5MB

MD5
b6c3a138a4c15c66a6c4eed30643c18f

SHA1
0121e2956059eac847400f0aee2cf4750b3b9fe7

SHA256
e32204737f974d22c6be4bedf3c0382b5e2cb01536d9de47e02e3bb739d835b8

SHA512
37c154e7ff7dbcf12b79f8ebaef6a5c3cf8b5ca6cf173e186e9dd3d94d3ffc9f32f973ceec6b9259a953eca4ed602846c76b4f7a8514973f72e5d186a3b0cbc8

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk.lck\E59786.lck

Filesize
512B

MD5
9481e803cd3bf585ed520b95d085d37a

SHA1
55f5f1fe830d212674254549d55bd2980c8bc3bd

SHA256
efe1d128bbf1830e4f6306f050f21779e9b3a9bf8a15f0b31d78b564fe347e41

SHA512
61e5d1cf4d41796394834ffa620e5ffa9aa1f21a679bf8196a60f07b22f357947ce24c15e4f772385d8f8a37ab45329fa9ddd43e2dc33d39856aede2dfb585de

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
641B

MD5
b2870eff42ab596733426690ce6b97d5

SHA1
02181e18e02984440ac42afeb22bae3d004bb566

SHA256
70162756dbf972c282b928538adc09415311bb05d70f0c6b65e58a4182b28937

SHA512
7f263dda3ea402367eba7314516850f845670933a242c874dfc72f2cd0dafa34ed9924dd35bca25a487e4848891968bd4e8b69cc9fbf76f5c597e6ad26c4cb43

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\NotoSans-Regular.otf

Filesize
17.4MB

MD5
93b877811441a5ae311762a7cb6fb1e1

SHA1
339e033fd4fbb131c2d9b964354c68cd2cf18bd1

SHA256
b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b

SHA512
7f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
2528dcb24e63470b192fb745de0031b5

SHA1
22558acf0b4368436a5a8740e4ba5bd70e429b58

SHA256
580e75d22d26eb52eada6df7181a89d8e6b46713826d47696802010d92696c1d

SHA512
7f222ac345e6b28659337f0cc4493e6fcf022a3c18445fd46defd10e47c09f5c661f29f7ce84e91419379ff71130b2d4fec46fabd453026ee769294f6f3bfe9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
5a14c31de309cf30bdc55c70883f0bd7

SHA1
6980e4607e79158996661f0688eed47b114725ca

SHA256
3ecd0538540ae1cb020a6ba4bd7600896cceeafb7b7adfa9be709462be1278de

SHA512
8b2d2849632e93a6c5bee850e429cad6c38f16bd4be01bd0f15a376b9ba0857f99faed91aa8cd267af816ca5efb5c0799a9b5c90c397b07a5f01a639a47e44a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
33352fc30277b955ebd80d356803c341

SHA1
dde5440f2c10d4b7a8f2f0a2ab47d5b6b9c86915

SHA256
eee76e6cd0103ad93e65a1cfb1e53da67416f6e3a6d202fe40ebc820fa541f55

SHA512
95693b02b58a3d7f0936cdc8a8d1e01c17e17dc3531dca83facdf999d6f9b5daa3aa17cd7b07f88581d23672aa40e7d260feaa767ccd617afb6e744d274e940b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
cddb8380d198f264b3a4d502a01e44a5

SHA1
4e5176c69dd2bc4bce00d0ab6a259d0d5551961d

SHA256
5b9b6acb995e38173deec1422617aa94d8abe68c8d0b427c63d787ea268ec3df

SHA512
41f089c22dc859d280a52518159ee0551420d092dbded6a849e8f0cfcbe1025df857f9a861dd0d3df076048ba023a0851d12ce7dfaebcb0b8ad5c956be7ecfb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
6dad358d18f6b1617b92f65c27f01fa7

SHA1
1a55b8eddc2984fe90800a41723f09866a469be9

SHA256
eb6bdec67a1042504553b2ac012635a907e59ea0401363be60267d63959f85ac

SHA512
b8605c1d301f015723d4a63f5097a4a14e9f3e0190b8f408800aa770e9b9daaec22ec3d2e6648a8e1d40a2c5e8250d3434d3a228427ab1bffaec8aba3df046c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
5e47135be1487eb58638e898916aa916

SHA1
1d0267afc36717f6d0f99a19f6b3fc6fd9dc636b

SHA256
b527e60c560528f98e3c894dc30f486c199231f3bfdb2430f7748b6bae182b56

SHA512
03ce9b2baa6dd83aefb94209917a5823e21b1951b039eda59647fcd415d5354e06e1179a79541d2e41cd711e9d5f21b5ef99df58c53612ad4245cfb69e568970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8a7ea577991501d285cb8d494e812e10

SHA1
e144f18a687c7c0f141ce81389f696ce339e739d

SHA256
2ff2645a41e9a2ae622b3ac3dd8a6749908e39a793e170054cab4649d4e678f1

SHA512
771f4afd1f75b736dda7bd8ed72ab290bd2068c93fcd9b25ac24ed97bbe4622eea8840358efa54ffb4fae9ac3ceead3ab11e0880e21fddaea7a90ce5162c0ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
389531204133ca1c7eb1e3442f360c6a

SHA1
be2ab5dec118748772ac9a669a503d9775b7b771

SHA256
77c497993bcd358c7e6a3514b6742b87dd681b8ea06266bd531532da4be8911b

SHA512
f37e312baacd409af9926c69500af97b2292270991fcd62d0e8221cd256200df1c02bac92616a1f1fb75ccb51768d83da7c35d7510929be8397bce7fa6ce6217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
108KB

MD5
1e9d4ac9707f5aa982915200c87b9932

SHA1
94b6aa1c5f9d5514bbc14623a6561071ad6e730d

SHA256
a614d664e472808e22f14f27ed3a1dbda2c9055a09546b2e4b371d73a7bb5a60

SHA512
7d03f0c19ea69fd509a9dbfbca87dff8653cb3653d0e08280c302ef39e683bc75b3340180010ea83bcc5ac67aac7d618f5281596fff1744cd43ab6b2777c984e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
119KB

MD5
473b3bffb7db56cd120491c9bff7ab41

SHA1
ef6fc1346069c4dcf494f1145253d4468a5ff751

SHA256
d61f97e6bc50e668edbca852411a448f7ca8f2f03b2745de1bc4d30fe0d3746c

SHA512
115f08c529267bfb498858f05abe5bb1a4040fdd116187211217d54e0e39904b786617101020c381f5d25d0a72db138fb6ed83bc2f2727fc28dad49a46492f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c721dfbf3dbdfb792925d07fa4b3fdc4

SHA1
263b3f8b2f8d13683111211470a9f0c46073f439

SHA256
cc973f6c61dc5524e0d861c415c1ab0ca6913c0bf725400ab3e56609c3999a71

SHA512
1fecdca16b31e5933c1298bd0ac48491553c2ddbceb0106e0158397e32e224923e4f2ecb667b2a13025a1e7ebd520c8ad8f407c5ebea1b349d31babed0dee44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
d0965a972cf34c6702d43891bc3cd121

SHA1
937d47b1e6cbc3581e49a8fd5cf3dcabc120e83f

SHA256
f48fb57dee1afabc53c20cfe8982a1b0bb377b3644667be8bda935496e811f2d

SHA512
7cd264d9934487f9ec3c0f817473f3bcf1456ed48b46a267c66fab325b093c0339051e7bca27ffe9019b2aed42cf8d6cbecda98b63fb70627357da255540038a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
962596f1cbd79db705a3361671a216ba

SHA1
8f4e28382d110378b98e2f6d8871a765df1249ba

SHA256
02e6cd94f9acc127647027e283eb562843f71648e5b2ec94a432a9a80d774c09

SHA512
7aca9b1bd84140f93bb51a50074258eedcc2a1f3f9b140b4ca35f2a6bd19c06ede6a492b5dad6b584af1e45dbda5b3a2a96079b0282f8e316c17c8f1199936f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
0449189a465384c99cd63e250c077313

SHA1
e5329bf211bfe6955f6a9935588d6fbf41d871aa

SHA256
334ffd8129431a1d0181086bba46ef54112108fda9498d390afc480589eb4ea9

SHA512
82092e2d10f3f4184f3f784a84c7048bf6ccddcd3d2485dbd13d9ad0170a62bcc816ffc26c49070f10eb134a17d50998df56f3fa6dcaf953158449b1654ba2a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
f47a96070587c97964a2c33f5bb62c02

SHA1
90710f0ba2a951c21d0e689ec1c0251c7d7883fb

SHA256
ed36387deb3ca0acc8abeabfbf91898385abb1907a0a14749eabf5fc3c984a9b

SHA512
3f6a3622d70e4416b7ad2ce3b7d69150172ca63be2cefdd68d4ad789f162aa1e3308062823b8a9e4a4f102dcbef52e87b6173d14eea9945ed5eec91751afb5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
fa9ce3de4ccb31914a6cf88bd9f7ad4e

SHA1
b966b73db1008eac9fca965dd2196b669af3c897

SHA256
f667696db641eaa342693846f757ec6e56f37c3bfd328206b6bdf5d620da9762

SHA512
6914af66a5e5939a694e431df4651806f797402e3b90555cb769a4db5eda19fedb6e8f3bddac2d396a7a43550b945f2b73d183990a2531854f6c5c7345f5dd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8ece64c6f74dd2be933b73184d6b5e94

SHA1
9fcc76d16551217a851c5121f6955523dda225c1

SHA256
ab673993519df3dc90aa5608c184901e293f1dc64fcbfb939762ac3420d5fe62

SHA512
87eb3a3335628206ff6373c918d42e9701258429edb1c59eadfc6b8e3211753e3e3dc28b90df9da41d4c4534a553d1efb62a9d9cb0b24e6e310f0d47dae09946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
744b192380c60f5b4e76bed6fec28fcc

SHA1
648dc408047b48fd8464be2a704fbb38db709a10

SHA256
c2c73cde1643c0aeef540d6379ed6419e5f5c16025675ee468eb882583a906e7

SHA512
bccec5eecf527568a3915e1d3dbf4056006b8f961b874759233572c1e8647e4afdcb7182ce22bfe1c17b1ac61a12e7e76b8d12bdd29d36d9be0224bf2f4bc42f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec15.TMP

Filesize
1KB

MD5
3e5799f9bc73a1f2e9a748e11ca511ba

SHA1
3205d52238288f6f53e4b2cd15602a444ab40342

SHA256
583f5a3c8ffcd840421012e8887a6c4229cc2922ecc3ce41ce6b74903e3419c3

SHA512
77cee0822ce57cce0cdfa763f404d7f5817b814d81d32e9fd98ed60d61ca35b59e1aa81134b41ff88630f88cbd025dc84233e4b3d91ff84061978d7048913f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
164cc51c861e855d6822f8e8ee08d5a6

SHA1
dc68e4abd47aa36d5fcc506261a7f044b1c468a9

SHA256
168d9d77348236e223acd43f00a96da97ef6886878f183d41fbf1f69efafc4eb

SHA512
3f279c3a2309404d1595b5ef3f5a2bbf980a57b934dd96ac1228317fecf5005659ce3f95b19581ee2933def25830862565dd0630fc36d1795838f185356e68e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2bfa47dae577c1dc5e8ade3870e28e9e

SHA1
8b19742a728856827a092c61da5883e68d756709

SHA256
633e4ad1e527c679d5fe14b620802e2b67a9283c8dd1ddaaef19c490574e6a85

SHA512
837414ab89b24465e8f409d285f801fcbebc094a08913797c0ee6e66bb8b2c9df735b1c5cd521a0c5e130dcbfc94466d1bfbbea7ea64795ae98661276a84264b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
60a6152740f0f0c8a813f2d0e449926e

SHA1
8bdd3a0552fb9656d6e0b8a631f480eaddf01ca6

SHA256
f0f93f119ddac1d437b171261163a5a1f514c232ffc70f69d53420bccc372742

SHA512
444335587f7db6e315541b8ae0eabd67b053c067ae17495cda52464d58cea18916b34c6fdbda7d39d34f175c1777e3a3c2eae6ae778523a446cc1d2c7cd7f245

Download Submit
C:\Users\Admin\AppData\Local\Temp\1888582A-E0C4-441D-A526-B75DA23134EA\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1888582A-E0C4-441D-A526-B75DA23134EA\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\1888582A-E0C4-441D-A526-B75DA23134EA\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1888582A-E0C4-441D-A526-B75DA23134EA\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1888582A-E0C4-441D-A526-B75DA23134EA\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\1888582A-E0C4-441D-A526-B75DA23134EA\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4mfehuf0.fq3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
73KB

MD5
b7d668191f946ee108e7e1e71ea71776

SHA1
9f020d69b2bc828a6bf7cc5f4c7050a254d17464

SHA256
085bcc47aef41d67bcef760efd34846c8b39ed0530ea7e83f71fe02f864544c1

SHA512
e4090561859426f6fd79e7650db81f20642d9639ab58106a4fe9e36081778af5e444fe4156209695beacdcb09e79b0ee36b0f1bdf699e4711cbc14683295da30

Download Submit
C:\Users\Admin\AppData\Roaming\lddownloader_en\downloader.log

Filesize
1KB

MD5
f8e50eb624181c7655de659f1711849e

SHA1
c1d13695c0f41388cad27b92e0ce71ab22a5f9b5

SHA256
e05037e444ef2522843175584c3037ca4a9ee323f8d9627ee101d8c142bd76d3

SHA512
8ef424127ce5987d1816b64f45d8c452792880d950e9639617d33ba3ef9a7841c68f5fc7d36dda34353838d834f6cc496156d2097aecd1f13dda296af3bafc52

Download Submit
C:\Users\Admin\AppData\Roaming\lddownloader_en\downloader.log

Filesize
2KB

MD5
2716fdce59c42e4bbb7ab698dd750149

SHA1
2b108551543b25a3d10c20aa2c1e151437b12e48

SHA256
e021d9ef8763e2da5885b8cee39452799ebc7f0761d860a70182b1403b80b03a

SHA512
a8c243bc1bc230ed5f53e8b6172567bb215e15c193289a99b54cc25084e59efda6cd0bde8ea1c445aa990b1ef7d5afdfc71eb0e30226567d80aa244feb024619

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 227034.crdownload

Filesize
12.3MB

MD5
908e05bcf942179e42cac3cc4f9545fe

SHA1
bef82438f0881d828c625066464ac814ab8485ab

SHA256
292cbf497b51fb90b770f93fd66d82c92eb82eb5ec87587d19129101c9282297

SHA512
537e8810f8bc5aa7b599c9b7aed2de208ea0a9ca6d47914e260c257929b7cff913bd9777743940c98a4592b2e84d3af807c4a507680062b5e6c0dfcb6c85bf23

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
238KB

MD5
1cc0fac07f306fc8a0ea569532ae2e9e

SHA1
a39e64df4a02aa5747e88b857a49b830262a5f23

SHA256
7fbd14aca2dd2975b7ef4739b05425b41d1e8bb80159dc41c8dae91bd63df785

SHA512
0302847e8250d5f794a674cf22bad7f5b85089dda00ee9af9eeb35c9297819a0d687a5ddb836538bed0f8fecdf8cb1e7e3128ea8d028034a65717143345e70ce

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
276KB

MD5
1e6cc2b220beace97fed10e65600632a

SHA1
8384db9de7f3d43f549f26c77e7a8f6a750d4d0f

SHA256
4ac83eae0ea398fd15ad62c9fc10f0b0f5d55640a6dcbc3b403e01216708f1f8

SHA512
16723c41f672fd1f890ec6a5a89d4c9f3f480b1b3e711e8a146ab1a50f3dd1a7e37795f77aaff903b370ece130192a5c12cbf7386163db75f1466182eb4e10ee

Download Submit
memory/1904-1446-0x0000000005700000-0x0000000005A54000-memory.dmp

Filesize
3.3MB

Download
memory/1904-1456-0x000000006E7C0000-0x000000006E80C000-memory.dmp

Filesize
304KB

Download
memory/4112-1472-0x0000000005CF0000-0x0000000006044000-memory.dmp

Filesize
3.3MB

Download
memory/4112-1477-0x000000006E7C0000-0x000000006E80C000-memory.dmp

Filesize
304KB

Download
memory/6464-1407-0x0000000004940000-0x0000000004976000-memory.dmp

Filesize
216KB

Download
memory/6464-1424-0x00000000064A0000-0x00000000064D2000-memory.dmp

Filesize
200KB

Download
memory/6464-1443-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/6464-1441-0x0000000007410000-0x0000000007421000-memory.dmp

Filesize
68KB

Download
memory/6464-1440-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/6464-1439-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/6464-1437-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/6464-1438-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/6464-1436-0x00000000070E0000-0x0000000007183000-memory.dmp

Filesize
652KB

Download
memory/6464-1410-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/6464-1435-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/6464-1425-0x000000006E7C0000-0x000000006E80C000-memory.dmp

Filesize
304KB

Download
memory/6464-1423-0x0000000005F20000-0x0000000005F6C000-memory.dmp

Filesize
304KB

Download
memory/6464-1442-0x0000000007460000-0x000000000746E000-memory.dmp

Filesize
56KB

Download
memory/6464-1422-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/6464-1408-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/6464-1421-0x0000000005A10000-0x0000000005D64000-memory.dmp

Filesize
3.3MB

Download
memory/6464-1411-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/6464-1409-0x0000000005790000-0x00000000057B2000-memory.dmp

Filesize
136KB

Download
memory/6944-1565-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/6944-1640-0x000000006FFA0000-0x000000006FFF9000-memory.dmp

Filesize
356KB

Download
memory/6944-1636-0x0000000070730000-0x000000007212B000-memory.dmp

Filesize
26.0MB

Download
memory/6944-1637-0x0000000070080000-0x00000000700FE000-memory.dmp

Filesize
504KB

Download
memory/6944-1639-0x0000000070100000-0x00000000706A6000-memory.dmp

Filesize
5.6MB

Download
memory/6944-1638-0x0000000070000000-0x000000007007A000-memory.dmp

Filesize
488KB

Download
memory/6944-1580-0x00000000367F0000-0x0000000036800000-memory.dmp

Filesize
64KB

Download