guerrilla | 815165ed2cfb5dee2b8c061f6436366b9d72e464dcc83db9c3c036475a875d5e

Analysis

max time kernel
251s
max time network
267s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_es_1260_ld.exe
Size

12.3MB
MD5

53267fb7397aef58b1025636f8eed6b8
SHA1

bc2e7965b2a5d10de452dd590ffef7328b48e1bf
SHA256

815165ed2cfb5dee2b8c061f6436366b9d72e464dcc83db9c3c036475a875d5e
SHA512

bd966609dc941d64bb379913a8258f2c8b9712e76c8ea5a4c5f842aa86714c1a39d918b71f170491c08e40ffe6f6fe236a7cd025b93902b75080adb43056af9f
SSDEEP

393216:P9JRaxbxp41TXj2w5311sHznZc+TEI4gw:1ibxWT6w5AbZbTNC

Score

10^/10

guerrilla otpstealer discovery execution exploit infostealer persistence privilege_escalation rat spyware trojan

Malware Config

Signatures

Guerrilla
Guerrilla is an Android malware used by the Lemon Group threat actor.
trojan infostealer rat guerrilla

Guerrilla payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000400000001d8c6-397.dat	family_guerrilla
behavioral1/files/0x000400000001d8c6-398.dat	family_guerrilla
behavioral1/files/0x000400000001d8c6-399.dat	family_guerrilla

Otpstealer
Otpstealer is an Android SMS Stealer that targets OTP first seen in February 2022.
trojan infostealer spyware otpstealer

Otpstealer payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000400000001d8c6-397.dat	family_otpstealer
behavioral1/files/0x000400000001d8c6-398.dat	family_otpstealer
behavioral1/files/0x000400000001d8c6-399.dat	family_otpstealer

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubDefCertInit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustInit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\FuncName = "EncodeRecipientID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
860	takeown.exe
868	icacls.exe
2940	takeown.exe
2372	icacls.exe
1360	takeown.exe
532	icacls.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2940	takeown.exe
2372	icacls.exe
1360	takeown.exe
532	icacls.exe
860	takeown.exe
868	icacls.exe

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dpinst_86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxHostChannel.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5OpenGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetFltNobj.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDDU.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libeay32.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDbg.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDriver.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxManage.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstAnimate.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcrypto-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTIsoMaker.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qwindows.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRes.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSDL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe

Executes dropped EXE 6 IoCs

pid	Process
1028	LDPlayer.exe
2328	dnrepairer.exe
1188	Ld9BoxSVC.exe
1952	driverconfig.exe
1996	dnplayer.exe
604	Ld9BoxSVC.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1588	sc.exe
2268	sc.exe
1792	sc.exe
2020	sc.exe
1124	sc.exe
2136	sc.exe
2316	sc.exe
2220	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
1712	LDPlayer9_es_1260_ld.exe
1028	LDPlayer.exe
2328	dnrepairer.exe
2328	dnrepairer.exe
2328	dnrepairer.exe
2328	dnrepairer.exe
2328	dnrepairer.exe
1188	Ld9BoxSVC.exe
1188	Ld9BoxSVC.exe
1188	Ld9BoxSVC.exe
1188	Ld9BoxSVC.exe
1188	Ld9BoxSVC.exe
1188	Ld9BoxSVC.exe
1188	Ld9BoxSVC.exe
1188	Ld9BoxSVC.exe
448	regsvr32.exe
448	regsvr32.exe
448	regsvr32.exe
448	regsvr32.exe
448	regsvr32.exe
448	regsvr32.exe
448	regsvr32.exe
448	regsvr32.exe
1132	regsvr32.exe
1132	regsvr32.exe
1132	regsvr32.exe
1132	regsvr32.exe
1132	regsvr32.exe
1132	regsvr32.exe
1132	regsvr32.exe
1132	regsvr32.exe
1588	regsvr32.exe
1588	regsvr32.exe
1588	regsvr32.exe
1588	regsvr32.exe
1588	regsvr32.exe
1588	regsvr32.exe
1588	regsvr32.exe
1588	regsvr32.exe
2444	regsvr32.exe
2444	regsvr32.exe
2444	regsvr32.exe
2444	regsvr32.exe
2444	regsvr32.exe
2444	regsvr32.exe
2444	regsvr32.exe
2444	regsvr32.exe
1028	LDPlayer.exe
1952	driverconfig.exe
1952	driverconfig.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1996	dnplayer.exe
1996	dnplayer.exe
1996	dnplayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_es_1260_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MAIN	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	dnplayer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1207-4179-94CF-CA250036308F}\ = "IGuestFileOffsetChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\NumMethods\ = "27"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E67-4144-BF34-41C38E8B4CC7}\NumMethods\ = "40"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-8384-11E9-921D-8B984E28A686}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\ = "IEventSource"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\NumMethods\ = "76"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7997-4595-A731-3A509DB604E5}\ = "IClipboardModeChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\NumMethods\ = "26"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1207-4179-94CF-CA250036308F}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4521-44CC-DF95-186E4D057C83}\ = "IVBoxSVCRegistration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\NumMethods\ = "49"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-71B2-4817-9A64-4ED12C17388E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\NumMethods\ = "25"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7E72-4F34-B8F6-682785620C57}\NumMethods\ = "39"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ = "IShowWindowEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\ = "ICursorPositionChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\ = "IGuestOSType"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ = "IExtPackPlugIn"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\ = "IExtraDataChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0126-43E0-B05D-326E74ABB356}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296}\ = "IPCIAddress"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0D96-40ED-AE46-A564D484325E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-D612-47D3-89D4-DB3992533948}\NumMethods\ = "17"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\ = "IMediumIO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ = "IEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4737-457B-99FC-BC52C851A44F}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\ = "IPerformanceMetric"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-800A-40F8-87A6-170D02249A55}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\ = "IFramebuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0979-486C-BAA1-3ABB144DC82D}\ = "IGuestFileStateChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	LDPlayer9_es_1260_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	LDPlayer9_es_1260_ld.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1712	LDPlayer9_es_1260_ld.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
1028	LDPlayer.exe
2328	dnrepairer.exe
2564	powershell.exe
2364	powershell.exe
1892	powershell.exe
1028	LDPlayer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	1028	LDPlayer.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	dnplayer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1996	dnplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1028	1712	LDPlayer9_es_1260_ld.exe	30
PID 1712 wrote to memory of 1028	1712	LDPlayer9_es_1260_ld.exe	30
PID 1712 wrote to memory of 1028	1712	LDPlayer9_es_1260_ld.exe	30
PID 1712 wrote to memory of 1028	1712	LDPlayer9_es_1260_ld.exe	30
PID 1028 wrote to memory of 2328	1028	LDPlayer.exe	32
PID 1028 wrote to memory of 2328	1028	LDPlayer.exe	32
PID 1028 wrote to memory of 2328	1028	LDPlayer.exe	32
PID 1028 wrote to memory of 2328	1028	LDPlayer.exe	32
PID 2328 wrote to memory of 476	2328	dnrepairer.exe	33
PID 2328 wrote to memory of 476	2328	dnrepairer.exe	33
PID 2328 wrote to memory of 476	2328	dnrepairer.exe	33
PID 2328 wrote to memory of 476	2328	dnrepairer.exe	33
PID 476 wrote to memory of 2604	476	net.exe	35
PID 476 wrote to memory of 2604	476	net.exe	35
PID 476 wrote to memory of 2604	476	net.exe	35
PID 476 wrote to memory of 2604	476	net.exe	35
PID 2328 wrote to memory of 2900	2328	dnrepairer.exe	36
PID 2328 wrote to memory of 2900	2328	dnrepairer.exe	36
PID 2328 wrote to memory of 2900	2328	dnrepairer.exe	36
PID 2328 wrote to memory of 2900	2328	dnrepairer.exe	36
PID 2328 wrote to memory of 2900	2328	dnrepairer.exe	36
PID 2328 wrote to memory of 2900	2328	dnrepairer.exe	36
PID 2328 wrote to memory of 2900	2328	dnrepairer.exe	36
PID 2328 wrote to memory of 2880	2328	dnrepairer.exe	37
PID 2328 wrote to memory of 2880	2328	dnrepairer.exe	37
PID 2328 wrote to memory of 2880	2328	dnrepairer.exe	37
PID 2328 wrote to memory of 2880	2328	dnrepairer.exe	37
PID 2328 wrote to memory of 2880	2328	dnrepairer.exe	37
PID 2328 wrote to memory of 2880	2328	dnrepairer.exe	37
PID 2328 wrote to memory of 2880	2328	dnrepairer.exe	37
PID 2328 wrote to memory of 2896	2328	dnrepairer.exe	38
PID 2328 wrote to memory of 2896	2328	dnrepairer.exe	38
PID 2328 wrote to memory of 2896	2328	dnrepairer.exe	38
PID 2328 wrote to memory of 2896	2328	dnrepairer.exe	38
PID 2328 wrote to memory of 2896	2328	dnrepairer.exe	38
PID 2328 wrote to memory of 2896	2328	dnrepairer.exe	38
PID 2328 wrote to memory of 2896	2328	dnrepairer.exe	38
PID 2328 wrote to memory of 2956	2328	dnrepairer.exe	39
PID 2328 wrote to memory of 2956	2328	dnrepairer.exe	39
PID 2328 wrote to memory of 2956	2328	dnrepairer.exe	39
PID 2328 wrote to memory of 2956	2328	dnrepairer.exe	39
PID 2328 wrote to memory of 2956	2328	dnrepairer.exe	39
PID 2328 wrote to memory of 2956	2328	dnrepairer.exe	39
PID 2328 wrote to memory of 2956	2328	dnrepairer.exe	39
PID 2328 wrote to memory of 2752	2328	dnrepairer.exe	40
PID 2328 wrote to memory of 2752	2328	dnrepairer.exe	40
PID 2328 wrote to memory of 2752	2328	dnrepairer.exe	40
PID 2328 wrote to memory of 2752	2328	dnrepairer.exe	40
PID 2328 wrote to memory of 2752	2328	dnrepairer.exe	40
PID 2328 wrote to memory of 2752	2328	dnrepairer.exe	40
PID 2328 wrote to memory of 2752	2328	dnrepairer.exe	40
PID 2328 wrote to memory of 2624	2328	dnrepairer.exe	41
PID 2328 wrote to memory of 2624	2328	dnrepairer.exe	41
PID 2328 wrote to memory of 2624	2328	dnrepairer.exe	41
PID 2328 wrote to memory of 2624	2328	dnrepairer.exe	41
PID 2328 wrote to memory of 2624	2328	dnrepairer.exe	41
PID 2328 wrote to memory of 2624	2328	dnrepairer.exe	41
PID 2328 wrote to memory of 2624	2328	dnrepairer.exe	41
PID 2328 wrote to memory of 2744	2328	dnrepairer.exe	42
PID 2328 wrote to memory of 2744	2328	dnrepairer.exe	42
PID 2328 wrote to memory of 2744	2328	dnrepairer.exe	42
PID 2328 wrote to memory of 2744	2328	dnrepairer.exe	42
PID 2328 wrote to memory of 2744	2328	dnrepairer.exe	42
PID 2328 wrote to memory of 2744	2328	dnrepairer.exe	42

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1260_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1260_ld.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1260 -language=es -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=328148
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:2900
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:2880
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2624
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:2744
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2940
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2372
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1360
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:532
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2540
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2020
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1124
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2136
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1188
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:448
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1132
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1588
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2444
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2316
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1892
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:860
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:868
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1996
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    PID:1588
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    PID:2268
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    PID:1792
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    PID:2136
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
    3⤵
    PID:2576
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
    3⤵
    PID:2208
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://es.ldplayer.net/blog/94.html
    3⤵
    PID:3020
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:275457 /prefetch:2
      4⤵
      PID:3016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
PID:2164

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
PID:604
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:2792
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:2756
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:2732
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:864
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCP120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
6fcb827fe4a5ae344eae27b53d368903

SHA1
719c435846d0860c3c2baf27055a6d114890a8ab

SHA256
bc67354096d13b85a1a13eeb7a2ad899bb35b003519756d28f145e3c040f7804

SHA512
9659a187bccd6fa736fd187abcf57eeeb8b1323d8cc269bb9793978243abbdf830085d6e1df5da7876710ddb5cab20c79d2f53ef4acf6f4826504944fdd5e9cc

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
77138e2662cdeffd61cf6210ae3fb8ca

SHA1
a085b99630efc74cedd0be9a0eeb57eff7b3850f

SHA256
68c83685da55573ae966db3113ee513dd76ba489024373968e527bd44d814724

SHA512
a4621910aa3ae4b5dfa558e69d0270717341467cf067d9397e2bbf118f789c87eef8750ecb25ffd9c60f51f35ceb40b211ce9a738116c4dfc06e543ac90d1bcc

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.6MB

MD5
6fe5ee1daf303963482ffc414b1f4aed

SHA1
076ebaeeb02853d96e20085fbedaf7e61f3a60d3

SHA256
2685e5c1aa3cdead02024f21abadb413c6dc130946f7b44ca01b0cea64bdd2ae

SHA512
8bc6758c95a53ebcd6b6fd27bdd3165f91bcd8f370d677afb7d599865b57ecad274eb21502235eeb64ad2624046cafa9f14576221b1503e333815df5a6dfe134

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
65eeb6cb2049e4df3a1db20f15db52ab

SHA1
10182b8c8e95079b105bbe66247fd0e8e97d4eea

SHA256
68fe01a6df81242470ceb107f630a5be3281524ec8ea6aa2182b3847271ab053

SHA512
38ddc0fe70b3f5051a8b2dc02c8dc4be695e9f0ac31654f42c1579b5df93c9708db09e6966fa61e528035c0d47bf09e4e4be38b670670948f8c65f3dc8ab18df

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1207.5MB

MD5
ee02fd4f4597909bc7a2383e98fb3b28

SHA1
d6de74fb315bd2f0a7569fc27471db5abd8ed87e

SHA256
288b51fc6ebed32eee7545ad30ac36a7ec6e2f9bf3ba5409e5b40151e84d91bf

SHA512
0aac949be3e075d095787c0c0017978e7308cc2d15484a762c97b2da00df9f014d3892c3b77452a9dcfc3d2b47199609b1a44888e1471dafd1e2372ab8e6010e

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1221.1MB

MD5
c1f6f51c7a7540c4de8e8a3a626694b7

SHA1
07afb50869b3bff4bb766aaa70bd79faed83d58e

SHA256
2aa2c8478cbdd09997ae1e0510af7d54f3dd0ff97d35014a44690b6b2298751a

SHA512
3818e7ce0ca8bc881168b30665da101f061b9b21cf390f2aa2e2abbc551d7c7e267588c1e4143357e49e2838ede1780d62e5d347e2fbcefd693b0230f94cebaa

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1223.3MB

MD5
674fb7f526cd2d1f94cd420dc62e9015

SHA1
5df5af05e38b2959598810bb8622f3843b303ad4

SHA256
e5dea38e20e8e7ae780ea8f618010e54559f1a00814a03eb4bcbac71ab2a9bad

SHA512
b278652237a6f155b1d85d1032597525fc8fd4c494ed10f55ac42a09ea55984d779c840217fdc82f7171e2ed109805eb5cb4d1ecf837d5e32853eba6844a847f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\EGL.dll

Filesize
532KB

MD5
23aa9d6d45802ed1ddb044d98a5020f5

SHA1
1ae392d8b6dc494e09e2fc9c6027ad561b1f8957

SHA256
5c4c1a08f932e2270d99b92c4ea810c0a64da34d8fef0c7174f434d60b5f3b87

SHA512
6edf9459108e969ac2ec305bfac3da0d648bc3954ce6ff9ccb212e049f27817cd26df0aaa5de11753be27accf0d84d67a40eda1fc469948c449fd8a1a737bd54

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES12Translator.dll

Filesize
379KB

MD5
1a9b53f92a3274238c50c39a9e818524

SHA1
aad139790b2f2864a3d99b905e0ced0371b7ed26

SHA256
23bee20eaee261ab9c1dc96873adbbd7be66f269c905bef7178260e93848fcca

SHA512
6d588be05f1c3238f1f5deefdec9241084719bc35f96f62bd8f0f846738db9794d5e35a3d4773b8b87f950b87d5650321713345dd2568402993d146649126803

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES_CM.dll

Filesize
1.0MB

MD5
e84dec7da7bfe33769007d861f60f95e

SHA1
51c39391c36eafc2983e9967f7d75a7a34d05baf

SHA256
f8bc93efe5e2593c9b8bebf5c1664cb22828f3b6c13fbedafa8cd5881663b3b2

SHA512
ed4c41208962d8b8e888fac473ca3c257a0a9e2b8c38d8d608f5e14a91ea28b28c1ffd536d776b472a952b184a8d6f08597d379963f6f8a00755f46a16f97355

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES_V2.dll

Filesize
2.7MB

MD5
2c8052511cf64518ce01bb4eef032d37

SHA1
75cec311395645f78a6c189db881f0d0bbdb6b5b

SHA256
5557b20833132a9075f0fdabfc51486ee1bfc2bcc403dbedba337aa22854b9fd

SHA512
85b57862e4513b53d5730819a6f8ed01740ec6cd2a599cc4ac786abba0711eba1ae4e7ba8ad1a7a1810ba1ac105a86652a15854eef545bf31455434f39853e77

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES_V2_utils.dll

Filesize
1.6MB

MD5
beb1bf678395ed022bc1cdb344c0970e

SHA1
294114bc4b4fb1328ce42a1c448112137f5af80f

SHA256
371c58e2d546edf71dff2fa907c3bed69dfcae4c30aab14717cd9a2dd29db473

SHA512
855d4321061dceeb16489d6cac8b1a502d88e462bac8ad6e0e92c3a990ff416da933fdff94f91c99811e260ee4b45c6620c8652a7324bf4dc34c89f2077aee78

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
1fb62ef7e71b24a44ea5f07288240699

SHA1
875261b5537ed9b71a892823d4fc614cb11e8c1f

SHA256
70a4cd55e60f9dd5d047576e9cd520d37af70d74b9a71e8fa73c41475caadc9a

SHA512
3b66efe9a54d0a3140e8ae02c8632a3747bad97143428aedc263cb57e3cfa53c479b7f2824051ff7a8fd6b838032d9ae9f9704c289e79eed0d85a20a6f417e61

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
0fb91d94f6d006da24a3a2df6d295d81

SHA1
db8ae2c45940d10f463b6dbecd63c22acab1eee2

SHA256
e08d41881dbef8e19b9b5228938e85787292b4b6078d5384ba8e19234a0240a8

SHA512
16d16eb10031c3d27e18c2ee5a1511607f95f84c8d32e49bbacee1adb2836c067897ea25c7649d805be974ba03ff1286eb665361036fd8afd376c8edcfabd88c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
c1fdd419184ef1f0895e4f7282d04dc5

SHA1
42c00eee48c72bfde66bc22404cd9d2b425a800b

SHA256
e8cf51a77e7720bd8f566db0a544e3db1c96edc9a59d4f82af78b370de5891f7

SHA512
21aa4d299d4c2eab267a114644c3f99f9f51964fd89b5c17769a8f61a2b08c237e5252b77ca38f993a74cc721b1b18e702c99bdfa39e0d43d375c56f126be62c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
e46bc300bf7be7b17e16ff12d014e522

SHA1
ba16bc615c0dad61ef6efe5fd5c81cec5cfbad44

SHA256
002f6818c99efbd6aee20a1208344b87af7b61030d2a6d54b119130d60e7f51e

SHA512
f92c1055a8adabb68da533fe157f22c076da3c31d7cf645f15c019ce4c105b99933d860a80e22315377585ae5847147c48cd28c9473a184c9a2149b1d75ee1b1

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
e87192a43630eb1f6bdf764e57532b8b

SHA1
f9dda76d7e1acdbb3874183a9f1013b6489bd32c

SHA256
d9cd7767d160d3b548ca57a7a4d09fe29e1a2b5589f58fbcf6cb6e992f5334cf

SHA512
30e29f2ffdc47c4085ca42f438384c6826b8e70adf617ac53f6f52e2906d3a276d99efcc01bf528c27eca93276151b143e6103b974c20d801da76f291d297c4c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
7041205ea1a1d9ba68c70333086e6b48

SHA1
5034155f7ec4f91e882eae61fd3481b5a1c62eb0

SHA256
eff4703a71c42bec1166e540aea9eeaf3dc7dfcc453fedcb79c0f3b80807869d

SHA512
aea052076059a8b4230b73936ef8864eb4bb06a8534e34fe9d03cc92102dd01b0635bfce58f4e8c073f47abfd95fb19b6fbfcdaf3bc058a188665ac8d5633eb1

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
8fd05f79565c563a50f23b960f4d77a6

SHA1
98e5e665ef4a3dd6f149733b180c970c60932538

SHA256
3eb57cda91752a2338ee6b83b5e31347be08831d76e7010892bfd97d6ace9b73

SHA512
587a39aecb40eff8e4c58149477ebaeb16db8028d8f7bea9114d34e22cd4074718490a4e3721385995a2b477fe33894a044058880414c9a668657b90b76d464f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
cedbeae3cb51098d908ef3a81dc8d95c

SHA1
c43e0bf58f4f8ea903ea142b36e1cb486f64b782

SHA256
3cb281c38fa9420daedb84bc4cd0aaa958809cc0b3efe5f19842cc330a7805a0

SHA512
72e7bdf4737131046e5ef6953754be66fb7761a85e864d3f3799d510bf891093a2da45b684520e2dbce3819f2e7a6f3d6cf4f34998c28a8a8e53f86c60f3b78a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
13b358d9ecffb48629e83687e736b61d

SHA1
1f876f35566f0d9e254c973dbbf519004d388c8d

SHA256
1cf1b6f42985016bc2dc59744efeac49515f8ed1cc705fe3f5654d81186097cd

SHA512
08e54fa2b144d5b0da199d052896b9cf556c0d1e6f37c2ab3363be5cd3cf0a8a6422626a0643507aa851fddf3a2ea3d42a05b084badf509b35ec50cb2e0bb5ce

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
c9649c9873f55cb7cdc3801b30136001

SHA1
3d2730a1064acd8637bfc69f0355095e6821edfd

SHA256
d05e1bd7fa00f52214192a390d36758fa3fe605b05a890a38f785c4db7adef1f

SHA512
39497baa6301c0ad3e9e686f7dfa0e40dbea831340843417eecc23581b04972facc2b6d30173cc93bf107a42f9d5d42515ef9fd73bb17070eb6f54109dc14e3e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
bedc3d74c8a93128ef9515fd3e1d40eb

SHA1
d207c881751c540651dbdb2dbd78e7ecd871bfe1

SHA256
fefc7bc60bd8d0542ccea84c27386bc27eb93a05330e059325924cb12aaf8f32

SHA512
cdcbce2dbe134f0ab69635e4b42ef31864e99b9ab8b747fb395a2e32b926750f0dd153be410337d218554434f17e8bc2f5501f4b8a89bb3a6be7f5472fb18360

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
769bf2930e7b0ce2e3fb2cbc6630ba2e

SHA1
b9df24d2d37ca8b52ca7eb5c6de414cb3159488a

SHA256
d10ff3164acd8784fe8cc75f5b12f32ce85b12261adb22b8a08e9704b1e5991a

SHA512
9abdcccc8ee21b35f305a91ea001c0b8964d8475680fa95b4afbdc2d42797df543b95fc1bcd72d3d2ccc1d26dff5b3c4e91f1e66753626837602dbf73fc8369b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
89766e82e783facf320e6085b989d59d

SHA1
a3ffb65f0176c2889a6e4d9c7f4b09094afb87ed

SHA256
b04af86e7b16aada057a64139065df3a9b673a1a8586a386b1f2e7300c910f90

SHA512
ea4df1b2763dde578488bb8dd333be8f2b79f5277c9584d1fc8f11e9961d38767d6a2da0b7b01bad0d002d8dcf67cca1d8751a518f1ee4b9318081f8df0422c7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
b8bce84b33ae9f56369b3791f16a6c47

SHA1
50f14d1fe9cb653f2ed48cbb52f447bdd7ec5df4

SHA256
0af28c5c0bb1c346a22547e17a80cb17f692bf8d1e41052684fa38c3bbcbb8c8

SHA512
326092bae01d94ba05ecec0ea8a7ba03a8a83c5caf12bef88f54d075915844e298dba27012a1543047b73b6a2ae2b08478711c8b3dcc0a7f0c9ffabba5b193cf

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
77e9c54da1436b15b15c9c7e1cedd666

SHA1
6ce4d9b3dc7859d889d4ccd1e8e128bf7ca3a360

SHA256
885bd4d193568d10dd24d104ccf92b258a9262565e0c815b01ec15a0f4c65658

SHA512
6eecf63d3df4e538e1d2a62c6266f7d677daebd20b7ce40a1894c0ebe081585e01e0c7849ccdf33dd21274e194e203e056e7103a99a3cd0172df3ed791dce1c2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
540d7c53d63c7ff3619f99f12aac0afe

SHA1
69693e13c171433306fb5c9be333d73fdf0b47ed

SHA256
3062bd1f6d52a6b830dbb591277161099dcf3c255cff31b44876076069656f36

SHA512
ce37439ce1dfb72d4366ca96368211787086948311eb731452bb453c284ccc93ccecef5c0277d4416051f4032463282173f3ec5be45e5c3249f7c7ec433f3b3e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
6486e2f519a80511ac3de235487bee79

SHA1
b43fd61e62d98eea74cf8eb54ca16c8f8e10c906

SHA256
24cc30d7a3e679989e173ddc0a9e185d6539913af589ee6683c03bf3de485667

SHA512
02331c5b15d9ee5a86a7aaf93d07f9050c9254b0cd5969d51eff329e97e29eea0cb5f2dccfe2bfa30e0e9fc4b222b89719f40a46bd762e3ff0479dbac704792c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
a37faea6c5149e96dc1a523a85941c37

SHA1
0286f5dafffa3cf58e38e87f0820302bcf276d79

SHA256
0e35bebd654ee0c83d70361bcaecf95c757d95209b9dbcb145590807d3ffae2e

SHA512
a88df77f3cc50d5830777b596f152503a5a826b04e35d912c979ded98dc3c055eb150049577ba6973d1e6c737d3b782655d848f3a71bd5a67aa41fc9322f832e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
6e46e5cca4a98a53c6d2b6c272a2c3ba

SHA1
bc8f556ee4260cce00f4dc66772e21b554f793a4

SHA256
87fca6cdfa4998b0a762015b3900edf5b32b8275d08276abc0232126e00f55ce

SHA512
cfeea255c66b4394e1d53490bf264c4a17a464c74d04b0eb95f6342e45e24bbc99ff016a469f69683ce891d0663578c6d7adee1929cc272b04fcb977c673380f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
b72698a2b99e67083fabd7d295388800

SHA1
17647fc4f151c681a943834601c975a5db122ceb

SHA256
86d729b20a588b4c88160e38b4d234e98091e9704a689f5229574d8591cf7378

SHA512
33bdfe9ac12339e1edab7698b344ab7e0e093a31fedc697463bbe8a4180bb68b6cc711a2ceb22ce410e3c51efaa7ea800bad30a93b3ac605b24885d3ef47cb7a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
e1debeda8d4680931b3bb01fae0d55f0

SHA1
a26503c590956d4e2d5a42683c1c07be4b6f0ce7

SHA256
a2d22c5b4b38af981920ab57b94727ecad255a346bb85f0d0142b545393a0a2d

SHA512
a9211f5b3a1d5e42fde406aab1b2718e117bae3dd0857d4807b9e823a4523c3895cf786519d48410119d1838ab0c7307d6ef530b1159328350cc23ebc32f67cd

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
a639c64c03544491cd196f1ba08ae6e0

SHA1
3ee08712c85aab71cfbdb43dbef06833daa36ab2

SHA256
a4e57620f941947a570b5559ca5cce2f79e25e046fcb6519e777f32737e5fd60

SHA512
c940d1f4e41067e6d24c96687a22be1cb5ffd6b2b8959d9667ba8db91e64d777d4cd274d5877380d4cfef13f6486b4f0867af02110f96c040686cc0242d5234b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
56486925434ebcb5a88dd1dfa173b3d0

SHA1
f6224dd02d19debc1ecc5d4853a226b9068ae3cd

SHA256
4f008aa424a0a53a11535647a32fabb540306702040aa940fb494823303f8dce

SHA512
7bb89bd39c59090657ab91f54fb730d5f2c46b0764d32cfa68bb8e9d3284c6d755f1793c5e8722acf74eb6a39d65e6345953e6591106a13ab008dcf19863ae49

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
6f9f9d52087ae4d8d180954b9d42778b

SHA1
67419967a40cc82a0ca4151589677de8226f9693

SHA256
ef1d71fe621341c9751ee59e50cbec1d22947622ffaf8fb1f034c693f1091ef0

SHA512
22a0488613377746c13db9742f2e517f9e31bd563352cc394c3ae12809a22aa1961711e3c0648520e2e11f94411b82d3bb05c7ea1f4d1887aacf85045cf119d7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
7243d672604766e28e053af250570d55

SHA1
7d63e26ffb37bf887760dc28760d4b0873676849

SHA256
f24a6158d7083e79f94b2088b2ea4d929446c15271a41c2691b8d0679e83ef18

SHA512
05b0edf51f10db00adc81fa0e34963be1a9f5c4ca303a9c9179c8340d5d2700534c5b924005556c89c02ac598ba6c614ee8ab8415f9ad240417529e5e0f6a41b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
c0c8790510471f12f3c4555e5f361e8e

SHA1
7adffc87c04b7df513bb163c3fbe9231b8e6566a

SHA256
60bd8f0bd64062292eff0f5f1a91347b8d61fbe3f2e9b140112501770eae0b80

SHA512
4f71aa0942f86e86f787036dc60eaea33af0c277f03cf1e551aaaba48dad48593bcceeccc359efbf18ef99cf49f2d46b4c17159a531ffb1c3a744abce57219eb

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
ebac9545734cc1bec37c1c32ffaff7d8

SHA1
2b716ce57f0af28d1223f4794cc8696d49ae2f29

SHA256
d09b49f2a30dcc13b7f0de8242fa57d0bdeb22f3b7e6c224be73bc4dd98d3c26

SHA512
0396ea24a6744d48ce18f9ccb270880f74c4b6eab40f8f8baf5fd9b4ad2ac79b830f9b33c13a3fec0206a95ad3824395db6b1825302d1d401d26bdc9eef003b2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
c7c4a49c6ee6b1272ade4f06db2fa880

SHA1
b4b5490a51829653cb2e9e3f6fbe9caf3ba5561e

SHA256
37f731e7b1538467288bf1d0e586405b20808d4bad05e47225673661bc8b4a9f

SHA512
62ccdfac19ef4e3d378122146e8b2cba0e1db2cc050b49522bedbf763127cc2103a56c5a266e161a51d5be6bd9a47222ee8bb344b383f13d0aac0baa41eab0ff

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
bef17bf1ba00150163a2e1699ff5840a

SHA1
89145a894b17427f4cb2b4e7e814c92457fd2a75

SHA256
48c71b2d0af6807f387d97ab22a3ba77b85bdf457f8a4f03ce79d13fbb891328

SHA512
489d1b4d405edbb5f46b087a3ebf57a344bf65478b3cd5fcf273736ea6fdd33e54b1806fbb751849e160370df8354f39fc7ca7896a05b4660ad577a9e0e683e4

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
fbfcf220f1bf1051e82a40f349d4beae

SHA1
43154ea6705ab1c34207b66a0a544ac211c1f37d

SHA256
9b9a43b9a32a3d3c3de72b2acca41e051b1e604b45be84985b6a62fb03355e6d

SHA512
e9ab17ceb5449e8303027a08afdbdd118cb59eaea0d5173819d66d3ee01f0cd370d7230a7d609a226b186b151fe2b13e811339fa21f3ec45f843075cedc2a5c0

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
2c8e5e31e996e2c0664f4a945cece991

SHA1
8522c378bdd189ce03a89199dd73ed0834b2fa95

SHA256
1c556505a926fd5f713004e88d7f8d68177d7d40a406f6ed04af7bacd2264979

SHA512
14b92e32fb0fd9c50aa311f02763cba50692149283d625a78b0549b811d221331cf1b1f46d42869500622d128c627188691d7de04c500f501acd720cea7c8050

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
77c5cc86b89eed37610b80f24e88dcc2

SHA1
d2142ecce3432b545fedc8005cc1bf08065c3119

SHA256
3e8828ab7327f26da0687f683944ffc551440a3de1004cc512f04a2f498520f6

SHA512
81de6533bba83f01fed3f7beed1d329b05772b7a13ffe395414299c62e3e6d43173762cb0b326ea7ecf0e61125901fcee7047e7a7895b750de3d714c3fe0cc67

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
19KB

MD5
4394dafed734dfe937cf6edbbb4b2f75

SHA1
06ec8f1f8dd1eab75175a359a7a5a7ee08d7a57a

SHA256
35b247534f9a19755a281e6dc3490f8197dd515f518c6550208b862c43297345

SHA512
33d9c5041e0f5b0913dd8826ceb080e2284f78164effde1dbf2c14c1234d6b9f33af6ae9f6e28527092ad8c2dbc13bddfc73a5b8c738a725ad0c6bb0aa7fcfaf

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-private-l1-1-0.dll

Filesize
60KB

MD5
18bdfd4b9e28f7eba7cbb354e9c12fcb

SHA1
26222efacb3fce1995253002c3ce294c7045cf97

SHA256
3105da41b02009383826ed70857de1a8961daeb942e9068d0357cddd939fa154

SHA512
7d27eeff41b1e30579c2a813eea8385d8a9569bc1ece5310b0a3f375fba1894028c5cec2cf204e153a50411c5dcf1992e8ac38f1c068c8f8af9bd4897c379c04

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
7ddd5548e3c4de83d036b59dbf55867a

SHA1
e56b4d9cfca18fb29172e71546dc6ef0383ac4e9

SHA256
75f7b0937a1433ea7e7fa2904b02fd46296b31da822575c0a6bc2038805971ef

SHA512
9fb30ef628741cebbc0f80d07824e80c9c73e0e1341866f4e45dc362fea211d622aa1cffc9199be458609483f166f6c34c68b585efe196d370c100f9c7315e0d

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
a3f630a32d715214d6c46f7c87761213

SHA1
1078c77010065c933a7394d10da93bfb81be2a95

SHA256
d16db68b4020287bb6ce701b71312a9d887874c0d26b9ebd82c3c9b965029562

SHA512
920bb08310eadd7832011ac80edd3e12ce68e54e510949dbbde90adaac497debe050e2b73b9b22d9dc105386c45d558c3f9e37e1c51ed4700dd82b00e80410bc

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
c99c9eea4f83a985daf48eed9f79531b

SHA1
56486407c84beecadb88858d69300035e693d9a6

SHA256
7c416d52a7e8d6113ff85bf833cae3e11c45d1c2215b061a5bbd47432b2244a5

SHA512
78b8fd1faada381b7c4b7b6721454a19969011c1d1105fc02ba8246b477440b83dc16f0e0ce0b953a946da9d1971b65315ac29dbb6df237a11becb3d981b16b9

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
d3d72d7f4c048d46d81a34e4186600b4

SHA1
cdcad0a3df99f9aee0f49c549758ee386a3d915f

SHA256
fd8a73640a158857dd76173c5d97ceeba190e3c3eabf39446936b24032b54116

SHA512
6bf9d2fdc5c2d8cd08bf543ef7a0cdcb69d7658a12bee5601eeb9381b11d78d3c42ef9dd7e132e37d1ec34cc3dc66df0f50aefadfdc927904b520fdc2f994f18

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
a992f1e06c3c32ffe9799d4750af070a

SHA1
97ffd536d048720010133c3d79b6deed7fc82e58

SHA256
b401edaac4b41da73356de9b3358dc21f8b998a63413c868510dc734b1e4022f

SHA512
50bd08680fccff190454e6555e65e2787bdc0e8a9bf711e364eb0b065951c2430559e049202b8f330ac65e9d4cd588349c524a71f700e179859d7829d8e840b8

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
cb4a19b88bec5a8806b419cf7c828018

SHA1
2bc264e0eccb1a9d821bca82b5a5c58dc2464c5d

SHA256
97e4c91103c186517fa248772b9204acf08fde05557a19efe28d11fb0932b1f7

SHA512
381edd45ecd5d2bdefd1e3ad0c8465a32620dfa9b97717cadb6a584c9528fed0d599d5a4889962f04908ca4e2b7b4497f0e69d8481ee5f34ea5d9106d99760c3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\concrt140.dll

Filesize
336KB

MD5
65f2e5a61f39996c4df8ae70723ab1f7

SHA1
7b32055335b37d734b1ab518dcae874352cd6d5c

SHA256
8032b43bdd2f18ce7eb131e7cd542967081bea9490df08681bf805ce4f4d3aab

SHA512
0b44153ac0c49170008fb905a73b0ab3c167a75dc2f7330aed503f3c0aedfd5164a92d6f759959a11eceb69e2918cb97c571a82715ad41f6b96888d59973f822

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\crashreport.dll

Filesize
51KB

MD5
1090c9726f1ef88416fb86779af7b2af

SHA1
b578a414ee258be761e5a78cdf7c9e7765782e59

SHA256
5cb17d8f71bf0df120266bb28620e5ed2d6c6e3568ef0ca3e4895dfb798b8795

SHA512
fd9391a646785c3f06ddd372a793145348b8792c3fd4266c0d7303339c69ea0d7b787177beabe1a7caef3be437bc9b91f418910bc56eb7638f3a5265ce6f41a3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\fastpipe.dll

Filesize
67KB

MD5
4686a05f32b1cb75ce3da76581d1bd03

SHA1
63ab4820bf318dbb58e54a2a14086e9c708a104d

SHA256
f0a49f3ecb8f69867bcdfe4b686f0eb0a93746a1d5c60fda2132205cc68c633e

SHA512
a373ef8ab6e3f8b00f90f0f771a6b364014d642a5392bb11f9982f9c931764875102ce1e477104af94fd7a30b47ca766fce7c83c3dac3d2202e0199df0bbe8ce

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
636B

MD5
7c539bf89dced78f2c0b3831d5440242

SHA1
6221080c64ef387ae4a8186ec868e87e659403a2

SHA256
1a0f2a466bb89f99f2f507d5e5a5eebe7722cce96f145f3638cb45294e33263e

SHA512
c21058a2e4a986696fc4def701b7c7f8fa5eecc245e02e114acada503bcc2df71beff01b633b1961e26bf2a8879c81443fae93813585056f4b7bd2e80aa5b987

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
a3cc43221551640314587475cd7620ea

SHA1
13b79f90ca5b29ce175be2de4e5ed7c4f14bbbf4

SHA256
93c1d3b276e6dca0ee0c44bdab440274ba3b04d2cee0acb4e06456ce70b04134

SHA512
303dda098aba35af75b3673a06759246a4d677484054e7962bc38144025cae59162511bc2410bedd40333134a1e777357a2be517467fb71fd60e96f9bb8dc305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
c66ca5da0da8d4e533e75b27abe6176a

SHA1
946dc531d0e078066027c4342ce044d89af019db

SHA256
3c59a089eb6a8b6def7cde154809cca68ce49d2b22e4e1715d670f4401c394b2

SHA512
1e0af703d37918b4663c2d7d1fcb1f38cf559ab5bf2fd25d275e397af94a6af77de7358177ffd8a89fb4c06705c5cb1e39adeb0eb5f4cdaad86c68f1df0e788a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20773787617bcf90796dc552d357b12f

SHA1
f9636632e2dc61d32eabcbf79a93d7dff07391ff

SHA256
7dffe2fc7784205c9886b1270972c7d1bf3adb6e1cd80390df695daddd237b6c

SHA512
fb59d94603764dd4b97495a7b874e25b651f4443769809c948b0a8c3dcab620407c972c2598fa68bd6e79bc989ddced355c8fd58ba21780e14f773ddb9d7d30a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02dfd01b19e1426cdf40dfd43b1ebd31

SHA1
310c5be965f886eeb655fbaeb814c4cce150199d

SHA256
8550c126ed29d4b3d5401208b017de0290708848ce77cc283d45ab0cce71cb9c

SHA512
9b2a89bfe971d09899c37d0dd282ab8c85a880cb350d6bf7efd4d6734926357ef21bb6fc296112c42654be217d2b41a168e8c399d8d398dd01a8cc4e0b498ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a57ac2dba55a1bbca01761373ba7def3

SHA1
71bb377d22478e4df154a00594184b383f54f261

SHA256
00e825370eb264826963d53171c88ae41e9e204fbce6fecc5f98758a5a11c62d

SHA512
6d314960bfd1e2b494fc7858cc18371081f81ac70d80ff9250e492744fc7087a485da0a3b842a7482faf7cbf6ec7f8a060adeffa1a3e8abd3d318dfabe1e0fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c13077e7965dd6317710cd8b4b11c1

SHA1
88ba355c58b2633a678706cbbcddb090a5af0ae6

SHA256
a5bf1b0742ba7d62199de7998902fff3d4d561b7415b92d1f83ad610c291ac5c

SHA512
2c5260ada152e9d29ad38fef739e0547947e04d3a587f1b404130f99af23554a81f4d3732152fdde7abf2df80f9cba920c1f3ee3edc29da79975a1b2e6c5a7d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
415435efb92cad549f44367b8ef3a1e5

SHA1
49a1c2581e8f6bbcd1fbcb42fc27af4931d6762f

SHA256
14bd096e6315155f43f74b2b24557bb3fd733d3c91146272d7c4a5b79bf4e2ef

SHA512
8bb919573c75e9bbb427f73e09be33e46859ebaf695533b62f46cc6bb7b62a6ad6c808d1a19a91337e9c2064cabceade936fff69548482f53e4896d5b4f231a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9236ad62d976ee46692d4e2644c90ef6

SHA1
6c72ef67708d9ead719115acd5b4a6c7b470930a

SHA256
b1f2a1daa1424800f8579fb5859f81bd216cc93af3f14a33b465ac6342f7272b

SHA512
52a12a669897c95c50715320c8c9dc69bb9aad03821d2b584afdeadbbf7ea7619c7f1526fee1534cb1cbaf0ecd9ae76cf394db3c6aad252dc79b2c8601ee706a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34c2049c2e9f53e574f05bdf1f4d2bbb

SHA1
4c09a4a3d4cfb70c45901f813b77f577f7b2ced5

SHA256
6f9f2354b4742fca2c5d762b1ed15058a6659e772f2c8a788de624d3a83c97b1

SHA512
e7770c38c6e4397b6b69a81107468898994d2d20dcb3887bc0159a1b7f4fa5a8c7a5115b21435340211d7d68555235de05475c8771253b0673d3a90369d28907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59217145d6026e22ca2eb325556e89a3

SHA1
3e50fbeba968e65591b6622ebe4781aab716dd0f

SHA256
f672b858740ae2213b84d1b24f1a995f7342ec86dd9a6ebfe8043e4335c0a3ad

SHA512
c842cbe2ced82846707c9c8dd2a0725c4955f83c95c22b9fbe9a99a317ad8d2c0f42175d86828f3fffe29cb67f09621dd7328bb3836e871fb1ea71395eaa7766

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f692e862e800ed527c58220e0a8331c

SHA1
193268d491961c2e516eb5ad368e48a5e69f6709

SHA256
afd12c61b22efe7fd4a215dd9e5a1ca01e417ed3fbd6018a886a6c5e7756d1e4

SHA512
7d6be1915c2f21fe445f63433c536b23e08f9e1777fb465f0d123384d1915b116621738e0e15868a640d6ac8c90800fb779c7312b60bd95065212976eaef9ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
6b5b6d0187768291ef2457eb98932fa5

SHA1
82ab5ae365be670e3ab12fcdc027cd83687f4db7

SHA256
2df5e9cf7d6fe8134b4159f168d03d6e3279e36d97e9a5f58417ddb230ae6676

SHA512
4e795539075ffad2436e73d3a8ebb4797e7412ff98bc5ba108f9d103e2b282f6f26e823b8d8df0453d43c7d25b32596f7b4f2509ca26ec33fb2f30701f8f1374

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4414.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44A3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J71O1D2QIOEZ7TV244KA.temp

Filesize
7KB

MD5
57d44135b482a42a122588afeb732482

SHA1
48276e5cbf7fb01d09f786bf2a6c235aa9b336d5

SHA256
35c5e697bb1e3979d7a325b8952fa6d796324aa3cbe74123848e49898eea48ce

SHA512
80c97a89b34f3bf46d46191fe24ec83f2ac4f799ac17be0ee76e9d68fe68562b9ced4ca3c09dcabc57bb46467f10e0b2af35cd30979ad98db8423160e5a1c3b7

Download Submit
\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
8c32366769719275a9e4d9916d0fb3fb

SHA1
56123f2303dbb13f583ef1ff689d5ca26e53ba12

SHA256
2a8774e1bf13aa2116c647953dc5e712deca53caa6d5de04f92548c0acd7bee5

SHA512
4d69b154c572da5ea185ae147855d542744bf2aff0024a88f51f1c73c57724eb9f50277476ccbaaf585e1291b5c019154877e7289880e32fd9d20f1d8c851eab

Download Submit
memory/604-822-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/604-821-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/1996-794-0x0000000035420000-0x0000000035430000-memory.dmp

Filesize
64KB

Download
memory/1996-782-0x0000000000140000-0x0000000000156000-memory.dmp

Filesize
88KB

Download
memory/1996-824-0x0000000005420000-0x0000000005422000-memory.dmp

Filesize
8KB

Download
memory/1996-823-0x0000000005410000-0x0000000005412000-memory.dmp

Filesize
8KB

Download
memory/1996-2895-0x0000000070F60000-0x0000000070FDE000-memory.dmp

Filesize
504KB

Download
memory/1996-2802-0x0000000070FE0000-0x00000000729DB000-memory.dmp

Filesize
26.0MB

Download
memory/1996-2924-0x0000000070930000-0x00000000709AA000-memory.dmp

Filesize
488KB

Download
memory/1996-2904-0x00000000709B0000-0x0000000070F56000-memory.dmp

Filesize
5.6MB

Download