Analysis
-
max time kernel
207s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 13:20
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.ldplayer.net/apps/forest-of-the-blue-skin-on-pc.html
Resource
win10v2004-20240802-en
General
-
Target
https://www.ldplayer.net/apps/forest-of-the-blue-skin-on-pc.html
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "WVTAsn1SpcLinkDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe -
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 3048 takeown.exe 5496 icacls.exe 5016 takeown.exe 6028 icacls.exe 5928 takeown.exe 884 icacls.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 16 IoCs
Processes:
LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exepid process 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 2144 LDPlayer.exe 468 dnrepairer.exe 6088 dismhost.exe 4464 Ld9BoxSVC.exe 5260 driverconfig.exe 776 dnplayer.exe 6104 Ld9BoxSVC.exe 3464 vbox-img.exe 2168 vbox-img.exe 1636 vbox-img.exe 5372 Ld9BoxHeadless.exe 2352 Ld9BoxHeadless.exe 1816 Ld9BoxHeadless.exe 2136 Ld9BoxHeadless.exe 5404 Ld9BoxHeadless.exe -
Loads dropped DLL 64 IoCs
Processes:
LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exednrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 468 dnrepairer.exe 468 dnrepairer.exe 468 dnrepairer.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 6088 dismhost.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 4464 Ld9BoxSVC.exe 5996 regsvr32.exe 5996 regsvr32.exe 5996 regsvr32.exe 5996 regsvr32.exe 5996 regsvr32.exe 5996 regsvr32.exe 5996 regsvr32.exe 5996 regsvr32.exe 3684 regsvr32.exe 3684 regsvr32.exe 3684 regsvr32.exe 3684 regsvr32.exe 3684 regsvr32.exe 3684 regsvr32.exe 3684 regsvr32.exe 3684 regsvr32.exe 3684 regsvr32.exe 6068 regsvr32.exe 6068 regsvr32.exe 6068 regsvr32.exe 6068 regsvr32.exe 6068 regsvr32.exe 6068 regsvr32.exe 6068 regsvr32.exe 6068 regsvr32.exe 4636 regsvr32.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 3048 takeown.exe 5496 icacls.exe 5016 takeown.exe 6028 icacls.exe 5928 takeown.exe 884 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
dnrepairer.exedescription ioc process File created C:\Program Files\ldplayer9box\bldRTIsoMaker.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\msvcp140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-process-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\crashreport.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\vccorlib140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\USBInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-errorhandling-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\dpinst_86.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\ucrtbase.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\msvcp120.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxStub.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES_V2_utils.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxCAPI.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxNetLwf.cat dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxNetFltNobj.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetLwfInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\tstVBoxDbg.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxRes.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\padlock.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\libssl-1_1-x64.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5Widgets.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\concrt140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\dasync.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\msvcp100.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxC.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSupLib.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-conio-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\dpinst_64.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSVC.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll dnrepairer.exe File opened for modification C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\ldutils.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\NetAdpInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES12Translator.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxNetDHCP.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\fastpipe.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\capi.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5OpenGL.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-math-l1-1-0.dll dnrepairer.exe -
Drops file in Windows directory 2 IoCs
Processes:
dism.exedismhost.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2136 sc.exe 2304 sc.exe 5728 sc.exe 2752 sc.exe 3120 sc.exe 3576 sc.exe 4152 sc.exe 3152 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
regsvr32.exepowershell.exesc.exeregsvr32.exeregsvr32.exedism.exesc.exenet1.exeregsvr32.exeregsvr32.exeicacls.exetaskkill.exetaskkill.exetaskkill.exednrepairer.exetakeown.exesc.exepowershell.exeicacls.exeregsvr32.exesc.exedriverconfig.exeLDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exeregsvr32.exepowershell.exeregsvr32.exesc.exetaskkill.exesc.exesc.exesc.exetakeown.exednplayer.exeLDPlayer.exenet.exeregsvr32.exeicacls.exetakeown.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dism.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnrepairer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language driverconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LDPlayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dnplayer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dnplayer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dnplayer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5828 taskkill.exe 6096 taskkill.exe 1056 taskkill.exe 4460 taskkill.exe -
Processes:
dnplayer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" dnplayer.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exeLd9BoxSVC.exeLDPlayer.exednrepairer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\ = "IMousePointerShape" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486E-472F-481B-969746AF2480}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8384-11E9-921D-8B984E28A686}\NumMethods\ = "37" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42DA-C94B-8AEC-21968E08355D}\TypeLib Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BF98-47FB-AB2F-B5177533F493} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E8B8-4838-B10C-45BA193734C1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ldmnq.ldbk LDPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80F6-4266-8E20-16371F68FA25} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1A29-4A19-92CF-02285773F3B5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-394D-44D3-9EDB-AF2C4472C40A}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\ProgId regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\ = "IRecordingChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00b1-4e9d-0000-11fa00f9d583} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}\NumMethods\ = "15" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D612-47D3-89D4-DB3992533948}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ldmnq.ldbk\Shell\Open\Command LDPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8690-11E9-B83D-5719E53CF1DE}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7966-481D-AB0B-D0ED73E28135} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7E67-4144-BF34-41C38E8B4CC7}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE LDPlayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9641-4397-854A-040439D0114B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\NumMethods\ = "28" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\NumMethods\ = "28" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}\NumMethods\ = "37" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}\ProxyStubClsid32 Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\ = "IGuestScreenInfo" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\NumMethods\ = "58" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046} dnrepairer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41}\NumMethods\ = "11" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ = "IDnDTarget" regsvr32.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 389920.crdownload:SmartScreen msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeLDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exemsedge.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exepid process 4940 msedge.exe 4940 msedge.exe 3488 msedge.exe 3488 msedge.exe 1524 identity_helper.exe 1524 identity_helper.exe 5276 msedge.exe 5276 msedge.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 1536 msedge.exe 2144 LDPlayer.exe 2144 LDPlayer.exe 2144 LDPlayer.exe 2144 LDPlayer.exe 2144 LDPlayer.exe 2144 LDPlayer.exe 2144 LDPlayer.exe 2144 LDPlayer.exe 468 dnrepairer.exe 468 dnrepairer.exe 916 powershell.exe 916 powershell.exe 916 powershell.exe 5884 powershell.exe 5884 powershell.exe 5884 powershell.exe 2268 powershell.exe 2268 powershell.exe 2268 powershell.exe 2144 LDPlayer.exe 2144 LDPlayer.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid process 660 660 660 660 660 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
msedge.exepid process 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exedescription pid process Token: SeDebugPrivilege 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe Token: SeShutdownPrivilege 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe Token: SeCreatePagefilePrivilege 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe Token: SeDebugPrivilege 5828 taskkill.exe Token: SeDebugPrivilege 6096 taskkill.exe Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 4460 taskkill.exe Token: SeTakeOwnershipPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeTakeOwnershipPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe Token: SeDebugPrivilege 2144 LDPlayer.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
msedge.exednplayer.exepid process 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 776 dnplayer.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
msedge.exednplayer.exepid process 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 776 dnplayer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exepid process 5608 LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe 2144 LDPlayer.exe 468 dnrepairer.exe 4464 Ld9BoxSVC.exe 5260 driverconfig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3488 wrote to memory of 5052 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 5052 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 768 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 4940 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 4940 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe PID 3488 wrote to memory of 3956 3488 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/apps/forest-of-the-blue-skin-on-pc.html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa94f546f8,0x7ffa94f54708,0x7ffa94f547182⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:82⤵PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4208 /prefetch:82⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6572 /prefetch:82⤵PID:976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:12⤵PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:12⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:12⤵PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4400 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:12⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:12⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:12⤵PID:5796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:12⤵PID:2672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6353833304401444330,12662600947604459215,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:5624
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3628
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5560
-
C:\Users\Admin\Downloads\LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe"C:\Users\Admin\Downloads\LDPlayer9_ens_com.kaibltdinc.forestoftheblue_3040_ld.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5608 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnplayer.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5828
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayer.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6096
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayerex.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM bugreport.exe /T2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\LDPlayer\LDPlayer9\LDPlayer.exe"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=3040 -language=en -path="C:\LDPlayer\LDPlayer9\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144 -
C:\LDPlayer\LDPlayer9\dnrepairer.exe"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=2629063⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:468 -
C:\Windows\SysWOW64\net.exe"net" start cryptsvc4⤵
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start cryptsvc5⤵
- System Location Discovery: System Language Discovery
PID:4472
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Softpub.dll /s4⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Wintrust.dll /s4⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
PID:6032
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Initpki.dll /s4⤵
- System Location Discovery: System Language Discovery
PID:5532
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" Initpki.dll /s4⤵
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" dssenh.dll /s4⤵
- System Location Discovery: System Language Discovery
PID:4420
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" rsaenh.dll /s4⤵
- System Location Discovery: System Language Discovery
PID:4120
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" cryptdlg.dll /s4⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5496
-
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5016
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:6028
-
-
C:\Windows\SysWOW64\dism.exeC:\Windows\system32\dism.exe /Online /English /Get-Features4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\85422EC2-83CD-42A3-8730-21AA77FB40F5\dismhost.exeC:\Users\Admin\AppData\Local\Temp\85422EC2-83CD-42A3-8730-21AA77FB40F5\dismhost.exe {FA5D5774-6E1E-45B2-A2F1-D59FDBE71CC4}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:6088
-
-
-
C:\Windows\SysWOW64\sc.exesc query HvHost4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3120
-
-
C:\Windows\SysWOW64\sc.exesc query vmms4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3576
-
-
C:\Windows\SysWOW64\sc.exesc query vmcompute4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4152
-
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4464
-
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s4⤵
- Loads dropped DLL
PID:5996
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
PID:6068
-
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4636
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3152
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" start Ld9BoxSup4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:916
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5884
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
-
C:\LDPlayer\LDPlayer9\driverconfig.exe"C:\LDPlayer\LDPlayer9\driverconfig.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5260
-
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5928
-
-
C:\Windows\SysWOW64\icacls.exe"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:884
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d2⤵PID:5312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa94f546f8,0x7ffa94f54708,0x7ffa94f547183⤵PID:5884
-
-
-
C:\LDPlayer\LDPlayer9\dnplayer.exe"C:\LDPlayer\LDPlayer9\\dnplayer.exe" downloadpackage=com.kaibltdinc.forestoftheblue|package=com.kaibltdinc.forestoftheblue2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:776 -
C:\Windows\SysWOW64\sc.exesc query HvHost3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\SysWOW64\sc.exesc query vmms3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5728
-
-
C:\Windows\SysWOW64\sc.exesc query vmcompute3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb000000003⤵
- Executes dropped EXE
PID:3464
-
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-0000000000003⤵
- Executes dropped EXE
PID:2168
-
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-0000000000003⤵
- Executes dropped EXE
PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html3⤵PID:6032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa94f546f8,0x7ffa94f54708,0x7ffa94f547184⤵PID:5748
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x4081⤵PID:3404
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Modifies registry class
PID:6104 -
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:5372
-
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:2352
-
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:1816
-
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:2136
-
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
PID:5404
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3484
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
444KB
MD550260b0f19aaa7e37c4082fecef8ff41
SHA1ce672489b29baa7119881497ed5044b21ad8fe30
SHA256891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA5126f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d
-
Filesize
51KB
MD56fcb827fe4a5ae344eae27b53d368903
SHA1719c435846d0860c3c2baf27055a6d114890a8ab
SHA256bc67354096d13b85a1a13eeb7a2ad899bb35b003519756d28f145e3c040f7804
SHA5129659a187bccd6fa736fd187abcf57eeeb8b1323d8cc269bb9793978243abbdf830085d6e1df5da7876710ddb5cab20c79d2f53ef4acf6f4826504944fdd5e9cc
-
Filesize
1.3MB
MD577138e2662cdeffd61cf6210ae3fb8ca
SHA1a085b99630efc74cedd0be9a0eeb57eff7b3850f
SHA25668c83685da55573ae966db3113ee513dd76ba489024373968e527bd44d814724
SHA512a4621910aa3ae4b5dfa558e69d0270717341467cf067d9397e2bbf118f789c87eef8750ecb25ffd9c60f51f35ceb40b211ce9a738116c4dfc06e543ac90d1bcc
-
Filesize
3.6MB
MD56fe5ee1daf303963482ffc414b1f4aed
SHA1076ebaeeb02853d96e20085fbedaf7e61f3a60d3
SHA2562685e5c1aa3cdead02024f21abadb413c6dc130946f7b44ca01b0cea64bdd2ae
SHA5128bc6758c95a53ebcd6b6fd27bdd3165f91bcd8f370d677afb7d599865b57ecad274eb21502235eeb64ad2624046cafa9f14576221b1503e333815df5a6dfe134
-
Filesize
41.9MB
MD58c32366769719275a9e4d9916d0fb3fb
SHA156123f2303dbb13f583ef1ff689d5ca26e53ba12
SHA2562a8774e1bf13aa2116c647953dc5e712deca53caa6d5de04f92548c0acd7bee5
SHA5124d69b154c572da5ea185ae147855d542744bf2aff0024a88f51f1c73c57724eb9f50277476ccbaaf585e1291b5c019154877e7289880e32fd9d20f1d8c851eab
-
Filesize
5.6MB
MD565eeb6cb2049e4df3a1db20f15db52ab
SHA110182b8c8e95079b105bbe66247fd0e8e97d4eea
SHA25668fe01a6df81242470ceb107f630a5be3281524ec8ea6aa2182b3847271ab053
SHA51238ddc0fe70b3f5051a8b2dc02c8dc4be695e9f0ac31654f42c1579b5df93c9708db09e6966fa61e528035c0d47bf09e4e4be38b670670948f8c65f3dc8ab18df
-
Filesize
103KB
MD54acd5f0e312730f1d8b8805f3699c184
SHA167c957e102bf2b2a86c5708257bc32f91c006739
SHA25672336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA5129982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837
-
Filesize
652KB
MD5ad9d7cbdb4b19fb65960d69126e3ff68
SHA1dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7
-
Filesize
1.5MB
MD566df6f7b7a98ff750aade522c22d239a
SHA1f69464fe18ed03de597bb46482ae899f43c94617
SHA25691e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f
SHA51248d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e
-
Filesize
2.0MB
MD501c4246df55a5fff93d086bb56110d2b
SHA1e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA51239524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196
-
Filesize
442KB
MD52d40f6c6a4f88c8c2685ee25b53ec00d
SHA1faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA2561d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA5124e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779
-
Filesize
1.2MB
MD5ba46e6e1c5861617b4d97de00149b905
SHA14affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA2562eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6
-
Filesize
192KB
MD552c43baddd43be63fbfb398722f3b01d
SHA1be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA2568c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA51204cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28
-
Filesize
511KB
MD5e8fd6da54f056363b284608c3f6a832e
SHA132e88b82fd398568517ab03b33e9765b59c4946d
SHA256b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd
SHA5124f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b
-
Filesize
522KB
MD53e29914113ec4b968ba5eb1f6d194a0a
SHA1557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA51275078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43
-
Filesize
854KB
MD54ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA152693d4b5e0b55a929099b680348c3932f2c3c62
SHA256b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA51282e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6
-
Filesize
283KB
MD50054560df6c69d2067689433172088ef
SHA1a30042b77ebd7c704be0e986349030bcdb82857d
SHA25672553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0
-
Filesize
947KB
MD550097ec217ce0ebb9b4caa09cd2cd73a
SHA18cd3018c4170072464fbcd7cba563df1fc2b884c
SHA2562a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058
-
Filesize
5KB
MD5fdee6e3ccf8b61db774884ccb810c66f
SHA17a6b13a61cd3ad252387d110d9c25ced9897994d
SHA256657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4
SHA512f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512
-
Filesize
641B
MD5c974b8d00c6364b74f224bdc7721dd47
SHA1113de20629ca209d464892317fb08e8e498c91c6
SHA2567199e3083aa8c2aee411d5ce12c1f72d923404a9caa77c2531ddc17a062db8e5
SHA512e9c9da855b9922b229ff68eb2ca0cd5f5e23640108a1bface6705630cd60dfd589eb3ba413192f7f333eb7145491f3165f080890aa571d220fee8aabb70a5c97
-
Filesize
35.1MB
MD54d592fd525e977bf3d832cdb1482faa0
SHA1131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef
SHA256f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6
SHA512afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize1KB
MD5cdb6c9711274294aa8c5c563f8e7bed2
SHA1baf7019a8c44a3d80620901f831ab5f97f3b845b
SHA2565404db82c93fe65095c992c5bcd2c35ddfc1070b13e33e8ef8c29529abeffc2d
SHA5121efa146644a98480cd20a2b5fc227e2c0769534e27fa5342159651cb329cd120faa36c7bbf01e914d1a9a80ff12b9fe1d6a729d624eb5055b6d962beafa03da2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize2KB
MD5a738d58e81a085490f302a0fcc97612f
SHA13f09ddba2eba04238b386f505170f7c936d3b9f3
SHA256c02ab6d1e7096ec0fb207092b3256071adf46a9025a93c1bfa0e10b0fc515bf4
SHA5124ce6c5c788eac1c29bde971297a271ee62ff0a975b30bce4edc9002f6c2d3aac50581636e1ada8a24ce5f02e146170a762d7c71e2b2145a81fa796d357fc3738
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize1KB
MD515c2bb81aa85c4707f0c2cbe7fe9526a
SHA12421f33fe6b70d6b203df001cb5719d8a9ca4a00
SHA256e8995a5d8dc67755c62102a9ecfc6edbe8303d354e434f15a763d697ab15067e
SHA51237b2554e1019f3af3149cc0e6bb85fb3b6040d68b9502d5828b73a86bdaf76d6348f2db8666b5a9bb8859cd327c8f58f48de14e6c0decef50a00ba1d797b7dd4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517
Filesize434B
MD5fe3939f49026aa9349e57335dda3192f
SHA1e49b1bab43072d7b8f2fd73ee8f5a770ccb08076
SHA25605eb6ddfa5da5751ea1ba9ee636aef8550e85d7d4943c877c33ef0a77bc276d1
SHA512a1da9f1f2eeea5913975ce34ba7f22954ae594d9b7ee662a0bbef62be1bd6da60fd1fd487d2c4d36197be258a12b8b0d9b5eaa069b77daaab4aae7bef2c56016
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD54ef8c30b5f9c2c90a93c0b8fc3bbb0bf
SHA1d01fb6d7c3d4c87cc14ceeeb6ed72dbfcc2df9d3
SHA25652e3d369eb9f48553f29e750211afc5b2511507a80240ca002eeb41674279399
SHA512dbce975674a3f062553ccbdbc008ef2545e2368290e35fdfc3a257b00cee8fa56cee19604c82b0b90de764b298797ddadded06ee9217f7a8eb327e47e797c977
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize432B
MD596b9ca3b9f90d1ff1e46202fa01f5b28
SHA1afb13038c227ea4a2b1264429aaf0f87a2540f30
SHA25605ca03ea23262381b6c4be5cdf200f91ad1dd2e576d9ceabd7dfad5833ebd6a1
SHA512bae0c066d9eef0c1f8aa248a59a3bd366bc95288e58132ad2bb66340e145d12f7c870e96d4b7f3075b4fe80807f28065789dcd71af715a0e45dbcc618433504c
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
Filesize
20KB
MD5af076fce47d859d009c16f2192bc94b3
SHA12f56c334cd6338b69a0f39c3edd6ea0a5b21bbd8
SHA256d36457358687310d026665a3aca628637697a703adde698287a3ea25ed49497e
SHA512d89b829f8292c2ce770b54c86eeeacb0f59e251134c17fba214649b132a10b99adf120b45b6c3c939b1846ada1626b683cabcd6313748c6fe62e1e72086f1a2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD51999cf7275dfc2f56d56f6d5979e3c9c
SHA16d0854083596a42fb3d3086d8fe693d769b58618
SHA25674bce300b72551a2ea1a9a3b58de3dfc050baa9c2b63a6dda9d801c487056ec6
SHA51272f6ae1ef5bd86baf0d85129f0d769436dccf1cc95397429cdb7c07092673e3f10105aa9cb915e22cfc568df939ec8922b0a63c07f71df3bccfb1cddc7f4702d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD502a9b50b9a0b319d33caac0ae92ec74e
SHA15cd061741cea4568e7d3720c4129bfc7e4b801f9
SHA256c3051b1fd025d182998f5c9c70dd506216089028f0d0cb7662ee8cb7aeed09f6
SHA512ebcd755b0faa94eec0f7a2174c8a0bf03378b6e463bd6d3f177a9dcc041fef51bdc821b38178535de078ea4a43e407c1e73cf40b8483ed48e2a1b45868144c09
-
Filesize
6KB
MD5a2683bee977fff0f74fa94e1df5e5bce
SHA1b0b3b02594a86cbec882d3471c7dee64d2788632
SHA2564527050fb5251ada00abefce2dd2351b404baf1985e6dc3defba9536660e700a
SHA512eabf3550147f1c5acc487da8e9cf713432b00ec38211d63701d1ae8d140aa5270633bfb5ffd3b8c8ba17131e85a4338ad4a5f75fcfae39021a8e85535d11ff2c
-
Filesize
6KB
MD58313bb8013c9681001011e1089030a15
SHA1764a9cc6554b045877fefeca0009fbffbf6ab4fb
SHA25660b8b53413ba2bc65e66f10919a4185ecbd7a72d92394677e0f9dded99572d3e
SHA512c4394bd5536491e4ee67541a61b64a2cf3227c1877f82d34a309db698f27aacb509d99c7f0b4eb42d3c5ef4457e2e39af25857043676915eb63bbb419b80310f
-
Filesize
7KB
MD5514714e4dac22b58081c7816af67ac1f
SHA1450068309b147c53b1cb17dc22fe3491d3d59ebb
SHA256450b6d86c020a4dca70fb10422f6f0e12995f9d8a63425d9ca9a254a00dc9e1a
SHA5127fee2b3f682bd04f78d4d587f6cdc9781a616ae1e28d0b42de7758b33fc055968baf741ad00a5a6d9b24abb7e8ece250400fb32fcdff8f119ce1541de0357a85
-
Filesize
7KB
MD593656410ebcc438c8a71e22b56bb4e51
SHA136d7c8eea52f7a5405beeec4e874f8efbbc66d91
SHA256c7e3d8a0c2891837789b2de2fc0029d0b871606314744e71ddee969dae5a73cf
SHA512052794b2a30e332083faf4a9df615205135436f7fa7936da6bee25ede4b537ce28a5770929649a31858cfc30943045e991026d08a20ecb46f4b47db5682530f8
-
Filesize
8KB
MD5a5105d054abd4371992a4d3e925dae2d
SHA1185b5a5a0c92a71fc40f4fc61cc48ab7491c8f36
SHA2565827c4b018e4115a9651bea8601318d680835344239d356a27d65a2d3f0df18a
SHA512abd74a750044f7f1d9e1ce9dd48468f8dbe1b9be52cd45f14408cb751c1f8dddc7e78e47b3331e650f4bb737fa61fde1a2ab1d45da8225495fc4a8e33d86adbe
-
Filesize
7KB
MD59f1544aee1a4190b855460ca45511fac
SHA177aef6586cf143749150b757a39ed5e4888a29ed
SHA256be6360ed4be3165592d0e3e49f11959b091a62f55067d1280aaca6b0cdb35473
SHA5121967ff924db8d23b8180941be93a68ce2d9eee362892eb8ce53585c79f547006e865c2d9bb8ac82c53c3e43d0a21e1091933dd8a20a06a261eacd0c52f3230b3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5099ee05b710c02201fcbd412108011e1
SHA1fc471377cdfdd6911d57bd536e51a6b2557a822d
SHA256f4f8cbf5d23dbfc29e725557d14cd2963b5b8205c0bfb5cc7b3f4404d733b4bd
SHA512d377f2c96cfbe641a59d7c5d005d90f365e16dda432b79bed59ce13ad3db6b9467ce0660c825bc8d0820e94b6824fdb42589c86f84a70099fa52d6f8bd57ea05
-
Filesize
11KB
MD5a24ca23766e03a4ee8ef05f9409f5398
SHA18db023e8f16bdee580bde5cba6d28467ad041457
SHA25601f7f156e1f3fc2e608ae254a45ba68a201c53e42b0b652d21fabab8bba34c69
SHA5125da1106fe470952d942f6101e7aea756d5d3ccd4fb7bb5a557aa18ffb98c761756e07450644e0c91df44bf4e204f9e39a24092d751e771f63d15a91548ea2846
-
Filesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
Filesize
112KB
MD594dc379aa020d365ea5a32c4fab7f6a3
SHA17270573fd7df3f3c996a772f85915e5982ad30a1
SHA256dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907
SHA512998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca
-
Filesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
Filesize
402KB
MD5b1f793773dc727b4af1648d6d61f5602
SHA1be7ed4e121c39989f2fb343558171ef8b5f7af68
SHA256af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e
SHA51266a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed
-
Filesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
Filesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
Filesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
Filesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
Filesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
Filesize
22KB
MD5bd0dd9c5a602cb0ad7eabc16b3c1abfc
SHA1cede6e6a55d972c22da4bc9e0389759690e6b37f
SHA2568af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3
SHA51286351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c
-
Filesize
8KB
MD58833761572f0964bdc1bea6e1667f458
SHA1166260a12c3399a9aa298932862569756b4ecc45
SHA256b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5
SHA5122a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8
-
Filesize
53KB
MD56c51a3187d2464c48cc8550b141e25c5
SHA1a42e5ae0a3090b5ab4376058e506b111405d5508
SHA256d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199
SHA51287a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba
-
Filesize
79KB
MD5d9cb0b4a66458d85470ccf9b3575c0e7
SHA11572092be5489725cffbabe2f59eba094ee1d8a1
SHA2566ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05
SHA51294937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
73KB
MD5b2e3ba2084f827f2e46a917983363f0b
SHA141fd27f8688b7a755abc0acc72a2a6a0e1045c78
SHA2567daa3d35584a7e87c3e8e3afeb436d088209966471d6c766328087823f1f3e73
SHA5124aea989bda6efc91836264f04f23fb3760764e3ef7809f618ad949c2e64b5a167fe5d054607535ec22fea4942d9ddc5ea7f70a1f529ee23633c1cd275d90e508
-
Filesize
3.4MB
MD59f9bbd12ae5894046810e6736ec4d892
SHA19e81b764a40ec39f6667c54b8d40da0b97cb5a7f
SHA2568d48d0a05d581922a4d30ba98cbf51ea981a37c95fad689e0b84b979e312f6a4
SHA51257d5b59de422394856e15b2d65c1f2a9e85a1b012c954ecad98682a84c7f90ff00be91819c8ae9cd123270e2cf446d69bfb248bde471a29846d57bf401417eaa
-
Filesize
236KB
MD5a1fcdf1aec0745b85e089c255c6e9db8
SHA165775f7c29c8f075851c7bed98035499c415fac2
SHA2569aa3c19444a17ce6d331e9f729d6bc6c5bfa3151938ab037631cd720754a49ab
SHA512c4d5f8478820c6d91266a3baa6e366c9587a97476ab3c76f0e6d201f6fa443869725f29696f06ab421b7ddf5901563580d7b12798d5a15cebd593228b37c801b
-
Filesize
276KB
MD575236dbb69d3540c087e860277b551d8
SHA19f451efe4a3f21e9f8b46a79c92d5fc921277459
SHA2560260b6990612101a4e6e1b9ef597617974f9e0c2565a336849d9960fd4aae360
SHA512680974418f6e8f7b71ffefa49c50f66abef4ef188fada994c1efcdcbd1897436a2bb2da1bd93ffa290dc3157799a45808f65954c2d30926a1c9d980c667bbf15
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e