Malware Analysis Report

2024-12-07 14:47

Sample ID 241011-1gvsnsvfpe
Target LDPlayer9_pt_1552109_ld.exe
SHA256 f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a
Tags
bootkit discovery execution exploit persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a

Threat Level: Likely malicious

The file LDPlayer9_pt_1552109_ld.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery execution exploit persistence privilege_escalation

Possible privilege escalation attempt

Manipulates Digital Signatures

Creates new service(s)

Modifies file permissions

Downloads MZ/PE file

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Launches sc.exe

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Checks installed software on the system

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Checks processor information in registry

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Modifies registry class

Runs net.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 21:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 21:37

Reported

2024-10-11 21:40

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe"

Signatures

Creates new service(s)

persistence execution

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadMessage" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoDecode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup" C:\Windows\SysWOW64\regsvr32.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner PostInstall = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\"" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ccleaner_update_helper = "C:\\Program Files\\CCleaner\\ccleaner_update_helper.exe" C:\Program Files\CCleaner\CCUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\AVG\\Antivirus\\setup\\instup.exe\" /instop:repair /wait" C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A

Downloads MZ/PE file

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCUpdate.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCUpdate.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ldplayer9box\VBoxAuthSimple.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1071.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File opened for modification C:\Program Files\ldplayer9box\Ld9BoxSup.cat C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\ossltest.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\msvcp100.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\capi.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxStub.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1031.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\ucrtbase.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1068.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File opened for modification C:\Program Files\AVG\Antivirus\setup\setgui_x64_ais-c62.vpx C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\ucrtbase.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\fastpipe.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File opened for modification C:\Program Files\AVG\Antivirus\setup\Stats.ini C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
File created C:\Program Files\ldplayer9box\platforms\qoffscreen.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File opened for modification C:\Program Files\AVG\Antivirus\setup\instcont_x64_ais-c62.vpx C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File opened for modification C:\Program Files\AVG\Antivirus\setup\ais_dll_eng-818.vpx C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
File created C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\msvcr120.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxProxyStub.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\GLES12Translator.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1066.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File created C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxBugReport.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxDD.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\libwalocal.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File opened for modification C:\Program Files\AVG\Antivirus\setup\ais_gen_core_x64-82e.vpx C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
File created C:\Program Files\ldplayer9box\NetLwfInstall.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\libssl-1_1.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1026.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File opened for modification C:\Program Files\CCleaner\Setup\9433228d-1db9-4912-b05a-ac4686f7ac00\update.xml C:\Program Files\CCleaner\CCUpdate.exe N/A
File created C:\Program Files\ldplayer9box\SUPLoggerCtl.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\regsvr32_x64.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\VBoxVMMPreload.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\api-ms-win-crt-filesystem-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-3098.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File created C:\Program Files\CCleaner\Setup\9ea8ef9b-2ff0-4ce0-952a-8ba7011d2f32.ini C:\Program Files\CCleaner\CCUpdate.exe N/A
File opened for modification C:\Program Files\AVG\Antivirus\setup C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\x86\padlock.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\GLES_V2_utils.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1155.dll C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File created C:\Program Files\CCleaner\CCleanerReactivator.exe C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
File created C:\Program Files\CCleaner\Setup\ac3b7a7d-b7cf-4223-9f1a-04cb7f3b6015.xml C:\Program Files\CCleaner\CCUpdate.exe N/A
File created C:\Program Files\ldplayer9box\VBoxCAPI.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\ccleaner_update_helper.exe C:\Program Files\CCleaner\CCUpdate.exe N/A
File created C:\Program Files\ldplayer9box\NetAdpInstall.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\concrt140.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\ldplayer9box\vcruntime140.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
File created C:\Program Files\CCleaner\Setup\9433228d-1db9-4912-b05a-ac4686f7ac00\update.xml C:\Program Files\CCleaner\CCUpdate.exe N/A
File created C:\Program Files\ldplayer9box\dasync.dll C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\SysWOW64\dism.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Program Files\ldplayer9box\Ld9BoxSVC.exe N/A
N/A N/A C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dism.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CCleaner\CCUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\LDPlayer\LDPlayer9\driverconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CCleaner\CCUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\Brandover = "0" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_000_003_a" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_000_003_a" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\Brandover = "0" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\Brandover = "0" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_000_003_a" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Piriform C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\Language = "1033" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\Language = "1033" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Piriform C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\Language = "1033" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\AutoICS = "1" C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "6" C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ = "IEvent" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\NumMethods\ = "15" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\NumMethods\ = "35" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\NumMethods\ = "48" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\NumMethods\ = "31" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E1B7-4339-A549-F0878115596E}\NumMethods\ = "13" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CLSID\ = "{20191216-26c0-4fe1-bf6f-67f633265bba}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ = "INATNetworkAlterEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}\NumMethods\ = "15" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C}\NumMethods\ = "14" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "7" C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\ = "IGuestFsObjInfo" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Checking install conditions" C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "100" C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ = "ICertificate" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\ = "IMachineRegisteredEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-9641-4397-854A-040439D0114B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\ = "IMachineDataChangedEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7F29-4AAE-A627-5A282C83092C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1}\NumMethods\ = "47" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}\ = "IDHCPGroupCondition" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\ = "IUSBDeviceStateChangedEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\NumMethods\ = "13" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-2354-4267-883F-2F417D216519}\NumMethods\ = "18" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\ = "ISnapshotEvent" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\NumMethods C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\NumMethods\ = "17" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "32" C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Ld9BoxSVC.exe C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4974-A19C-4DC6-CC98C2269626} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-477A-2497-6759-88B8292A5AF0}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "0" C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_shl_mai_x64-82e.vpx" C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
N/A N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe N/A
N/A N/A C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A
Token: SeDebugPrivilege N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\Windows\SysWOW64\taskkill.exe
PID 1652 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 1652 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 1652 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 1652 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe C:\LDPlayer\LDPlayer9\LDPlayer.exe
PID 2972 wrote to memory of 1788 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 2972 wrote to memory of 1788 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 2972 wrote to memory of 1788 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 2972 wrote to memory of 1788 N/A C:\LDPlayer\LDPlayer9\LDPlayer.exe C:\LDPlayer\LDPlayer9\dnrepairer.exe
PID 1788 wrote to memory of 676 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 1788 wrote to memory of 676 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 1788 wrote to memory of 676 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 1788 wrote to memory of 676 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\net.exe
PID 676 wrote to memory of 1876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 676 wrote to memory of 1876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 676 wrote to memory of 1876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 676 wrote to memory of 1876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1788 wrote to memory of 892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 892 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 2288 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 2288 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 2288 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 2288 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 2288 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 2288 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 2288 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 1740 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 1740 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 1740 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 1740 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 1740 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 1740 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 1740 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 756 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 756 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 756 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 756 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 756 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 756 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 756 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 652 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 652 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 652 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1788 wrote to memory of 652 N/A C:\LDPlayer\LDPlayer9\dnrepairer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayer.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM dnmultiplayerex.exe /T

C:\Windows\SysWOW64\taskkill.exe

"taskkill" /F /IM bugreport.exe /T

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe" /silent /ws /psh:M75AarZWOXk5euABSMS5OuhJVR2McXrmn56bvqLefA1jykVfN6PwKrbWRA9nJ53y7aMRLQINRVJYFtYR8u78J38

C:\LDPlayer\LDPlayer9\LDPlayer.exe

"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1552109 -language=pt -path="C:\LDPlayer\LDPlayer9\"

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe" /S /PI=LS

C:\LDPlayer\LDPlayer9\dnrepairer.exe

"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=262622

C:\Windows\SysWOW64\net.exe

"net" start cryptsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start cryptsvc

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Softpub.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Wintrust.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32" Initpki.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" dssenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" rsaenh.dll /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" cryptdlg.dll /s

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t

C:\Windows\SysWOW64\takeown.exe

"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"

C:\Windows\SysWOW64\icacls.exe

"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t

C:\Windows\SysWOW64\dism.exe

C:\Windows\system32\dism.exe /Online /English /Get-Features

C:\Windows\SysWOW64\sc.exe

sc query HvHost

C:\Windows\SysWOW64\sc.exe

sc query vmms

C:\Windows\SysWOW64\sc.exe

sc query vmcompute

C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe

"C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe" /silent /ws /psh:M75AarZWOXk5euABSMS5OuhJVR2McXrmn56bvqLefA1jykVfN6PwKrbWRA9nJ53y7aMRLQINRVJYFtYR8u78J38 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:b45ed484-1c73-45fa-a40c-efa53b51f704 /edat_dir:C:\Windows\Temp\asw.e126430a5e325bd9

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe

"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer

C:\Windows\system32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s

C:\Windows\system32\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s

C:\Program Files\CCleaner\CCleaner64.exe

"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC

C:\Program Files\CCleaner\CCUpdate.exe

"C:\Program Files\CCleaner\CCUpdate.exe" /reg

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

"C:\Windows\system32\sc" start Ld9BoxSup

C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe

"C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.600fbdb3f73e41a0 /edition:15 /prod:ais /stub_context:beff7248-57ce-4fa5-8e39-a5b692798ae8:11128544 /guid:5511e0b7-2a07-4f4b-8ff3-b7be885dfc0b /ga_clientid:b45ed484-1c73-45fa-a40c-efa53b51f704 /no_delayed_installation /silent /ws /psh:M75AarZWOXk5euABSMS5OuhJVR2McXrmn56bvqLefA1jykVfN6PwKrbWRA9nJ53y7aMRLQINRVJYFtYR8u78J38 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:b45ed484-1c73-45fa-a40c-efa53b51f704 /edat_dir:C:\Windows\Temp\asw.e126430a5e325bd9

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Program Files\CCleaner\CCUpdate.exe

CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\47e6e061-bd1c-44a6-a9a5-7c9a034dea6d.dll"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow

C:\LDPlayer\LDPlayer9\driverconfig.exe

"C:\LDPlayer\LDPlayer9\driverconfig.exe"

C:\Windows\SysWOW64\takeown.exe

"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y

C:\Windows\SysWOW64\icacls.exe

"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe

"C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.600fbdb3f73e41a0 /edition:15 /prod:ais /stub_context:beff7248-57ce-4fa5-8e39-a5b692798ae8:11128544 /guid:5511e0b7-2a07-4f4b-8ff3-b7be885dfc0b /ga_clientid:b45ed484-1c73-45fa-a40c-efa53b51f704 /no_delayed_installation /silent /ws /psh:M75AarZWOXk5euABSMS5OuhJVR2McXrmn56bvqLefA1jykVfN6PwKrbWRA9nJ53y7aMRLQINRVJYFtYR8u78J38 /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.e126430a5e325bd9 /online_installer

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\sbr.exe

"C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\sbr.exe" 2424 "AVG Antivirus setup" "AVG Antivirus is being installed. Do not shut down your computer!"

Network

Country Destination Domain Proto
US 8.8.8.8:53 res.ldrescdn.com udp
GB 163.181.154.241:443 res.ldrescdn.com tcp
US 8.8.8.8:53 dagswotxcmrj6.cloudfront.net udp
FR 18.164.55.225:443 dagswotxcmrj6.cloudfront.net tcp
GB 163.181.154.241:443 res.ldrescdn.com tcp
GB 163.181.154.241:443 res.ldrescdn.com tcp
US 8.8.8.8:53 d1odpp2eg70dto.cloudfront.net udp
GB 3.162.19.198:443 d1odpp2eg70dto.cloudfront.net tcp
GB 3.162.19.198:443 d1odpp2eg70dto.cloudfront.net tcp
GB 163.181.154.241:443 res.ldrescdn.com tcp
GB 163.181.154.241:443 res.ldrescdn.com tcp
GB 163.181.154.241:443 res.ldrescdn.com tcp
US 8.8.8.8:53 middledata.ldplayer.net udp
SG 8.219.48.146:443 middledata.ldplayer.net tcp
US 8.8.8.8:53 d1odpp2eg70dto.cloudfront.net udp
GB 3.162.19.100:443 d1odpp2eg70dto.cloudfront.net tcp
GB 3.162.19.100:443 d1odpp2eg70dto.cloudfront.net tcp
US 8.8.8.8:53 v7event.stats.avast.com udp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 8.8.8.8:53 iavs9x.avg.u.avcdn.net udp
GB 2.19.117.97:443 iavs9x.avg.u.avcdn.net tcp
US 34.117.223.223:80 v7event.stats.avast.com tcp
US 8.8.8.8:53 apipt.ldmnq.com udp
CZ 65.9.95.82:443 apipt.ldmnq.com tcp
CZ 65.9.95.82:443 apipt.ldmnq.com tcp
CZ 65.9.95.82:443 apipt.ldmnq.com tcp
US 8.8.8.8:53 middledata.ldplayer.net udp
SG 8.219.136.97:443 middledata.ldplayer.net tcp
CZ 65.9.95.82:443 apipt.ldmnq.com tcp
CZ 65.9.95.82:443 apipt.ldmnq.com tcp
GB 2.19.117.97:443 iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:443 iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:443 iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 service.piriform.com udp
GB 23.218.79.229:443 service.piriform.com tcp
GB 2.19.117.97:443 iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 license.piriform.com udp
GB 23.218.79.229:443 license.piriform.com tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
GB 2.19.117.97:80 iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 ip-info.ff.avast.com udp
US 8.8.8.8:53 ip-info.ff.avast.com udp
US 8.8.8.8:53 ip-info.ff.avast.com udp
US 34.111.175.102:443 ip-info.ff.avast.com tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 emupdate.avcdn.net udp
US 8.8.8.8:53 emupdate.avcdn.net udp
US 8.8.8.8:53 emupdate.avcdn.net udp
GB 2.19.117.107:80 emupdate.avcdn.net tcp
US 8.8.8.8:53 ccleaner.tools.avcdn.net udp
US 8.8.8.8:53 ccleaner.tools.avcdn.net udp
US 8.8.8.8:53 ccleaner.tools.avcdn.net udp
GB 2.19.117.102:80 ccleaner.tools.avcdn.net tcp
US 8.8.8.8:53 ip-info.ff.avast.com udp
US 8.8.8.8:53 ip-info.ff.avast.com udp
US 34.111.175.102:443 ip-info.ff.avast.com tcp
GB 216.58.213.14:80 www.google-analytics.com tcp
SG 8.219.136.97:443 middledata.ldplayer.net tcp
SG 8.219.136.97:443 middledata.ldplayer.net tcp
US 8.8.8.8:53 d7509631.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 d7509631.iavs9x.avg.u.avcdn.net udp
GB 2.19.117.97:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.93:80 p5846494.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 k8136955.iavs9x.avg.u.avcdn.net udp
US 8.8.8.8:53 k8136955.iavs9x.avg.u.avcdn.net udp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 d7509631.avi18.u.avcdn.net udp
US 8.8.8.8:53 d7509631.avi18.u.avcdn.net udp
GB 2.19.117.85:80 l9346865.avi18.u.avcdn.net tcp
GB 2.19.117.85:80 l9346865.avi18.u.avcdn.net tcp
GB 2.19.117.85:80 l9346865.avi18.u.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 alpha-license-dealer.ff.avast.com udp
BE 34.140.0.190:443 alpha-license-dealer.ff.avast.com tcp
US 8.8.8.8:53 alpha-iqs.ff.avast.com udp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
BE 34.76.203.183:443 alpha-iqs.ff.avast.com tcp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
GB 2.19.117.85:80 l9346865.avi18.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
GB 2.19.117.97:80 s5445469.iavs9x.avg.u.avcdn.net tcp
GB 2.19.117.85:80 l9346865.avi18.u.avcdn.net tcp
GB 2.19.117.85:80 l9346865.avi18.u.avcdn.net tcp
GB 2.19.117.85:80 l9346865.avi18.u.avcdn.net tcp

Files

\Users\Admin\AppData\Local\Temp\Setup\ds.dll

MD5 f45a92aba92be451667f7771edecdd32
SHA1 bb8496d04363a8ae818a9b3efc0fbcc1ba893f78
SHA256 22e95eb59a7cb402fadc1783c7f3c613aa18ebd09480e30f4a6557df8d066b26
SHA512 a6d734db225021487df46b2f62fb7a71883e2aa8837eb0097082510d8f01b519842cd26700ce84f2e2fd9012cb396ea894123d31a0e3e22636ecb859f68010af

memory/1652-11-0x0000000004F30000-0x0000000004F70000-memory.dmp

memory/1652-12-0x0000000073B5E000-0x0000000073B5F000-memory.dmp

memory/1652-16-0x0000000002C80000-0x0000000002C94000-memory.dmp

memory/1652-17-0x0000000074310000-0x0000000074324000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCB6C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCBAD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0b029aebef49a397df6d0f9d66c4d30
SHA1 83cec6c5f38d329183fc40d03aff17d4316863d8
SHA256 7919d43608d007bdc9bca78f31a9aab560bcc365d5edd6887ab0266861a041ae
SHA512 bbe2546228c8069e64bc505837fe639f3c89931b1d5e3dd6db75f3bc5a80fcae30256dae056a76db8723d4ccc5693e6c89d316ee1e50be25e4566e7ab380bfc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2402fdf54ed777db478310baf56e2b98
SHA1 4530662808978e4481e4fe9647934775c126067f
SHA256 b0fa2e68dc3e5c1a6b35e119c5514765c9e4339190acbb792f72e8b7ad855a9d
SHA512 e8a7327acbd0940027f28d692132dfe47dde0dc52ede01b676ab80e63949fb0d3c006b570499d404d4a7ffa56572fff22ab84dfe686fa0825008b536be99d9a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 514d4e4869dbbb6694b8711caae237aa
SHA1 7ca10a911079bca772f42affed75c5797790af5d
SHA256 64fe068e395e25271346dbc51c4681d0f4c981a926e13aaf57f4d13778a9a744
SHA512 9dc36c5fe92276738c587c82380abedd7826ffe648689b43e1d4036d4cc3d243f4cc5f596e77e26197a4006a0beb9e2a89b4802eb9febe0fffa7e51704014474

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

MD5 aad14704cd5f3148c87b5d5073df1f54
SHA1 2d39caac86bb2caed91d22d68218cdb603712185
SHA256 16f7767fed3f0ee6e26aae67a5a91825cd041df8138d29b2306722b6150919dc
SHA512 0fb040834ce32931802c0fdefc13542287ab60be4c571ff7243c0e1d4aeb41e1c9117398ae8449bffc61be063fefcbc83092b0f56155b0ff0c2b4b672f08d6f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

MD5 c5dfb849ca051355ee2dba1ac33eb028
SHA1 d69b561148f01c77c54578c10926df5b856976ad
SHA256 cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA512 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a6c4708f7c82cfae5b5ab077808190f
SHA1 282b97871455a9a8ddc96bfb8eeabdafdfc2d014
SHA256 a13163940a9472d9b5e4938dbec890b92ac206e24e44de8d67a78f6c864e2cfb
SHA512 72da965607921a7efd212b6c771dcc315bccbf0019d83c74e233e8baaeed9680696386f9fbb773ae4d2aac6f854914741ed5920118d91d83379c7a930bd68562

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae34c35337dc1ecb70a7553473878bec
SHA1 c3a5a8ee5f8cf0c64b5f27580642792122358daf
SHA256 abbad434e02f2f5b72e84d463aef464b825fc40d52ae1ea1798d073f87102d18
SHA512 7254db55b075b45cee40391ba2c0f490d3076a87161a4c6cdea9a7dda80d9feb06953faaf908530dbf28481d9614b7b41b144ccd4d37acf6bd01627f68d0e023

memory/1652-291-0x0000000002DE0000-0x0000000002E24000-memory.dmp

memory/1652-292-0x0000000004F30000-0x0000000004F70000-memory.dmp

memory/1652-293-0x0000000073B5E000-0x0000000073B5F000-memory.dmp

memory/1652-294-0x0000000073B50000-0x000000007423E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5131b597e19d6d1f80a2ee3d6575c1ad
SHA1 7275c26bf392edf2a1a8ebdadc75f6437f49ca80
SHA256 f4c0e9f85b10740c0a376ff0d046e95be778eed530dbed82a1088d85ec3f2f15
SHA512 17abcd2d11afe793b765feff9a46b1457110187ffd07105ac369ef55b4a4a3d42891a46a5dc671e929fa27823450e803d2218b02b72611ed789f22881aa1cfe2

memory/1652-407-0x0000000073B50000-0x000000007423E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe

MD5 26816af65f2a3f1c61fb44c682510c97
SHA1 6ca3fe45b3ccd41b25d02179b6529faedef7884a
SHA256 2025c8c2acc5537366e84809cb112589ddc9e16630a81c301d24c887e2d25f45
SHA512 2426e54f598e3a4a6d2242ab668ce593d8947f5ddb36aded7356be99134cbc2f37323e1d36db95703a629ef712fab65f1285d9f9433b1e1af0123fd1773d0384

C:\LDPlayer\LDPlayer9\dnrepairer.exe

MD5 cee286a3b75e2e3b92359a54a129a8cf
SHA1 d9708dc4a44c32a25d31eb93b7e0627155c5a871
SHA256 d6f0c9d7efe02de528a908285a989cc41903bc34b3448e5638af551ef12f77a5
SHA512 daf84e165437170d2ae029f2092ea9dbde03d6a34d85ac710e679e560333f8c17c6a2fc16ad69adad36ccf29c462f9c92346ca42e163e7a8c4069253456f06c1

C:\LDPlayer\LDPlayer9\MSVCP120.dll

MD5 50260b0f19aaa7e37c4082fecef8ff41
SHA1 ce672489b29baa7119881497ed5044b21ad8fe30
SHA256 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA512 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

\LDPlayer\LDPlayer9\msvcr120.dll

MD5 50097ec217ce0ebb9b4caa09cd2cd73a
SHA1 8cd3018c4170072464fbcd7cba563df1fc2b884c
SHA256 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512 ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

C:\LDPlayer\LDPlayer9\phones.data

MD5 fdee6e3ccf8b61db774884ccb810c66f
SHA1 7a6b13a61cd3ad252387d110d9c25ced9897994d
SHA256 657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4
SHA512 f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

C:\LDPlayer\LDPlayer9\dnresource.rcc

MD5 be5eb5347c30bc6feba94d103528050a
SHA1 862ff5fd84b1caa34a6298969799a802f1cb3df6
SHA256 5fda5ba5047c9b6c542eb4643fd42e664838702534a3d1a53ccb0c1af1490965
SHA512 15994a163acacbdd5811e21c01a0993c16dcf078cad37b74c95e488cf6c6944c288550a60d1da8e049c24657896370332bf8c0431a7b037614552b43c47a630d

\LDPlayer\LDPlayer9\crashreport.dll

MD5 cb1f1554bd438600eba5a55feda2c653
SHA1 893dcdd3d21568c6d0586fa3590be7c9dcbfa42e
SHA256 27bb89fa0800e7fdf643126551dda3eaa834b1171346010b93fb904076e90f4f
SHA512 65b064ce0496680408f76e7fe3a9946155384864099c1913acb1f88db182277d5d09d4e9cfdff8a8ae821f0037af93ce97bbc76e656831a52714abcdc0da6412

memory/2360-688-0x0000000000020000-0x0000000000027000-memory.dmp

C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

MD5 3c5f4600c3e3469aabff602cc91956b1
SHA1 840ff6785dde0cc3d5fc6d764aae62f90206d2f8
SHA256 9b0ef824644c0043ef6190586790fc9ec9589c35f29dbafe749123374a31ff2e
SHA512 29e5691d221f76cd56b28b497fdd38330ea7a4ddb44e65cc02de895c04b3fa7b4dbfc3d10642f45b87c661fe442bd018809b3ac06d0236f8d558855512de7bf3

\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\UserInfo.dll

MD5 2f69afa9d17a5245ec9b5bb03d56f63c
SHA1 e0a133222136b3d4783e965513a690c23826aec9
SHA256 e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512 bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\p\pfBL.dll

MD5 5608c585d25c6f3d75762cd0a44cc153
SHA1 a9ae6ecca38b1fcfb08f7fa45a0f063fd9393828
SHA256 ed5826c816ace3bc5fdd471871a0034554773e7da20dbc0a2eac7152cc7fa260
SHA512 6e24928d93b8068f4e03d97159e7dd2ff5ea7817c37a5a06741311b0477fd54b5750451652f79cf53130efc03b9268ce5fa8922e63caf17c1d88d23200eb9867

\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\p\ServiceUninstaller.dll

MD5 3053907a25371c3ed0c5447d9862b594
SHA1 f39f0363886bb06cb1c427db983bd6da44c01194
SHA256 0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495
SHA512 226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\INetC.dll

MD5 7760daf1b6a7f13f06b25b5a09137ca1
SHA1 cc5a98ea3aa582de5428c819731e1faeccfcf33a
SHA256 5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079
SHA512 d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e209fea4e3582d7f1aa1d64dd3530dca
SHA1 a2e24713750e8c35aae8fc22234295bde0a6d577
SHA256 2f7f38de02a89db3718dc17003e7ff3c7fe00df4851b54cf902412825e8e0559
SHA512 0fdd690a33dbd60128286e5b587c2f12061459e1a17570301d237fab9b5d70e7404d18d42403d242888ab8c797ff961d0b71b0461fd445f6c814ae8e4e976b17

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll

MD5 1fb62ef7e71b24a44ea5f07288240699
SHA1 875261b5537ed9b71a892823d4fc614cb11e8c1f
SHA256 70a4cd55e60f9dd5d047576e9cd520d37af70d74b9a71e8fa73c41475caadc9a
SHA512 3b66efe9a54d0a3140e8ae02c8632a3747bad97143428aedc263cb57e3cfa53c479b7f2824051ff7a8fd6b838032d9ae9f9704c289e79eed0d85a20a6f417e61

\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe

MD5 64b8e930e0e649a7b8302380a2fa6dd0
SHA1 3390e6f86293032053d0d712a613b8e3608b237c
SHA256 f30810d4be51461cda07872416d2cb9bd14ef555cc4f5d859a48abce1727de16
SHA512 5b2ae05de9366bb8665220dc337ef678f2f611375ab94689ceb417f4fe869ea9a1045ba8ed1df0498c56c991ce020a9d28de0504c4f07cbab19efde22c547710

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll

MD5 c1fdd419184ef1f0895e4f7282d04dc5
SHA1 42c00eee48c72bfde66bc22404cd9d2b425a800b
SHA256 e8cf51a77e7720bd8f566db0a544e3db1c96edc9a59d4f82af78b370de5891f7
SHA512 21aa4d299d4c2eab267a114644c3f99f9f51964fd89b5c17769a8f61a2b08c237e5252b77ca38f993a74cc721b1b18e702c99bdfa39e0d43d375c56f126be62c

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll

MD5 e87192a43630eb1f6bdf764e57532b8b
SHA1 f9dda76d7e1acdbb3874183a9f1013b6489bd32c
SHA256 d9cd7767d160d3b548ca57a7a4d09fe29e1a2b5589f58fbcf6cb6e992f5334cf
SHA512 30e29f2ffdc47c4085ca42f438384c6826b8e70adf617ac53f6f52e2906d3a276d99efcc01bf528c27eca93276151b143e6103b974c20d801da76f291d297c4c

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll

MD5 7041205ea1a1d9ba68c70333086e6b48
SHA1 5034155f7ec4f91e882eae61fd3481b5a1c62eb0
SHA256 eff4703a71c42bec1166e540aea9eeaf3dc7dfcc453fedcb79c0f3b80807869d
SHA512 aea052076059a8b4230b73936ef8864eb4bb06a8534e34fe9d03cc92102dd01b0635bfce58f4e8c073f47abfd95fb19b6fbfcdaf3bc058a188665ac8d5633eb1

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll

MD5 cedbeae3cb51098d908ef3a81dc8d95c
SHA1 c43e0bf58f4f8ea903ea142b36e1cb486f64b782
SHA256 3cb281c38fa9420daedb84bc4cd0aaa958809cc0b3efe5f19842cc330a7805a0
SHA512 72e7bdf4737131046e5ef6953754be66fb7761a85e864d3f3799d510bf891093a2da45b684520e2dbce3819f2e7a6f3d6cf4f34998c28a8a8e53f86c60f3b78a

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 bedc3d74c8a93128ef9515fd3e1d40eb
SHA1 d207c881751c540651dbdb2dbd78e7ecd871bfe1
SHA256 fefc7bc60bd8d0542ccea84c27386bc27eb93a05330e059325924cb12aaf8f32
SHA512 cdcbce2dbe134f0ab69635e4b42ef31864e99b9ab8b747fb395a2e32b926750f0dd153be410337d218554434f17e8bc2f5501f4b8a89bb3a6be7f5472fb18360

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll

MD5 89766e82e783facf320e6085b989d59d
SHA1 a3ffb65f0176c2889a6e4d9c7f4b09094afb87ed
SHA256 b04af86e7b16aada057a64139065df3a9b673a1a8586a386b1f2e7300c910f90
SHA512 ea4df1b2763dde578488bb8dd333be8f2b79f5277c9584d1fc8f11e9961d38767d6a2da0b7b01bad0d002d8dcf67cca1d8751a518f1ee4b9318081f8df0422c7

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 6e46e5cca4a98a53c6d2b6c272a2c3ba
SHA1 bc8f556ee4260cce00f4dc66772e21b554f793a4
SHA256 87fca6cdfa4998b0a762015b3900edf5b32b8275d08276abc0232126e00f55ce
SHA512 cfeea255c66b4394e1d53490bf264c4a17a464c74d04b0eb95f6342e45e24bbc99ff016a469f69683ce891d0663578c6d7adee1929cc272b04fcb977c673380f

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll

MD5 e1debeda8d4680931b3bb01fae0d55f0
SHA1 a26503c590956d4e2d5a42683c1c07be4b6f0ce7
SHA256 a2d22c5b4b38af981920ab57b94727ecad255a346bb85f0d0142b545393a0a2d
SHA512 a9211f5b3a1d5e42fde406aab1b2718e117bae3dd0857d4807b9e823a4523c3895cf786519d48410119d1838ab0c7307d6ef530b1159328350cc23ebc32f67cd

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll

MD5 7243d672604766e28e053af250570d55
SHA1 7d63e26ffb37bf887760dc28760d4b0873676849
SHA256 f24a6158d7083e79f94b2088b2ea4d929446c15271a41c2691b8d0679e83ef18
SHA512 05b0edf51f10db00adc81fa0e34963be1a9f5c4ca303a9c9179c8340d5d2700534c5b924005556c89c02ac598ba6c614ee8ab8415f9ad240417529e5e0f6a41b

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll

MD5 c0c8790510471f12f3c4555e5f361e8e
SHA1 7adffc87c04b7df513bb163c3fbe9231b8e6566a
SHA256 60bd8f0bd64062292eff0f5f1a91347b8d61fbe3f2e9b140112501770eae0b80
SHA512 4f71aa0942f86e86f787036dc60eaea33af0c277f03cf1e551aaaba48dad48593bcceeccc359efbf18ef99cf49f2d46b4c17159a531ffb1c3a744abce57219eb

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 bef17bf1ba00150163a2e1699ff5840a
SHA1 89145a894b17427f4cb2b4e7e814c92457fd2a75
SHA256 48c71b2d0af6807f387d97ab22a3ba77b85bdf457f8a4f03ce79d13fbb891328
SHA512 489d1b4d405edbb5f46b087a3ebf57a344bf65478b3cd5fcf273736ea6fdd33e54b1806fbb751849e160370df8354f39fc7ca7896a05b4660ad577a9e0e683e4

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll

MD5 2c8e5e31e996e2c0664f4a945cece991
SHA1 8522c378bdd189ce03a89199dd73ed0834b2fa95
SHA256 1c556505a926fd5f713004e88d7f8d68177d7d40a406f6ed04af7bacd2264979
SHA512 14b92e32fb0fd9c50aa311f02763cba50692149283d625a78b0549b811d221331cf1b1f46d42869500622d128c627188691d7de04c500f501acd720cea7c8050

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll

MD5 fbfcf220f1bf1051e82a40f349d4beae
SHA1 43154ea6705ab1c34207b66a0a544ac211c1f37d
SHA256 9b9a43b9a32a3d3c3de72b2acca41e051b1e604b45be84985b6a62fb03355e6d
SHA512 e9ab17ceb5449e8303027a08afdbdd118cb59eaea0d5173819d66d3ee01f0cd370d7230a7d609a226b186b151fe2b13e811339fa21f3ec45f843075cedc2a5c0

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll

MD5 c7c4a49c6ee6b1272ade4f06db2fa880
SHA1 b4b5490a51829653cb2e9e3f6fbe9caf3ba5561e
SHA256 37f731e7b1538467288bf1d0e586405b20808d4bad05e47225673661bc8b4a9f
SHA512 62ccdfac19ef4e3d378122146e8b2cba0e1db2cc050b49522bedbf763127cc2103a56c5a266e161a51d5be6bd9a47222ee8bb344b383f13d0aac0baa41eab0ff

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll

MD5 ebac9545734cc1bec37c1c32ffaff7d8
SHA1 2b716ce57f0af28d1223f4794cc8696d49ae2f29
SHA256 d09b49f2a30dcc13b7f0de8242fa57d0bdeb22f3b7e6c224be73bc4dd98d3c26
SHA512 0396ea24a6744d48ce18f9ccb270880f74c4b6eab40f8f8baf5fd9b4ad2ac79b830f9b33c13a3fec0206a95ad3824395db6b1825302d1d401d26bdc9eef003b2

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll

MD5 6f9f9d52087ae4d8d180954b9d42778b
SHA1 67419967a40cc82a0ca4151589677de8226f9693
SHA256 ef1d71fe621341c9751ee59e50cbec1d22947622ffaf8fb1f034c693f1091ef0
SHA512 22a0488613377746c13db9742f2e517f9e31bd563352cc394c3ae12809a22aa1961711e3c0648520e2e11f94411b82d3bb05c7ea1f4d1887aacf85045cf119d7

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 56486925434ebcb5a88dd1dfa173b3d0
SHA1 f6224dd02d19debc1ecc5d4853a226b9068ae3cd
SHA256 4f008aa424a0a53a11535647a32fabb540306702040aa940fb494823303f8dce
SHA512 7bb89bd39c59090657ab91f54fb730d5f2c46b0764d32cfa68bb8e9d3284c6d755f1793c5e8722acf74eb6a39d65e6345953e6591106a13ab008dcf19863ae49

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll

MD5 a639c64c03544491cd196f1ba08ae6e0
SHA1 3ee08712c85aab71cfbdb43dbef06833daa36ab2
SHA256 a4e57620f941947a570b5559ca5cce2f79e25e046fcb6519e777f32737e5fd60
SHA512 c940d1f4e41067e6d24c96687a22be1cb5ffd6b2b8959d9667ba8db91e64d777d4cd274d5877380d4cfef13f6486b4f0867af02110f96c040686cc0242d5234b

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll

MD5 b72698a2b99e67083fabd7d295388800
SHA1 17647fc4f151c681a943834601c975a5db122ceb
SHA256 86d729b20a588b4c88160e38b4d234e98091e9704a689f5229574d8591cf7378
SHA512 33bdfe9ac12339e1edab7698b344ab7e0e093a31fedc697463bbe8a4180bb68b6cc711a2ceb22ce410e3c51efaa7ea800bad30a93b3ac605b24885d3ef47cb7a

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll

MD5 a37faea6c5149e96dc1a523a85941c37
SHA1 0286f5dafffa3cf58e38e87f0820302bcf276d79
SHA256 0e35bebd654ee0c83d70361bcaecf95c757d95209b9dbcb145590807d3ffae2e
SHA512 a88df77f3cc50d5830777b596f152503a5a826b04e35d912c979ded98dc3c055eb150049577ba6973d1e6c737d3b782655d848f3a71bd5a67aa41fc9322f832e

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll

MD5 6486e2f519a80511ac3de235487bee79
SHA1 b43fd61e62d98eea74cf8eb54ca16c8f8e10c906
SHA256 24cc30d7a3e679989e173ddc0a9e185d6539913af589ee6683c03bf3de485667
SHA512 02331c5b15d9ee5a86a7aaf93d07f9050c9254b0cd5969d51eff329e97e29eea0cb5f2dccfe2bfa30e0e9fc4b222b89719f40a46bd762e3ff0479dbac704792c

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll

MD5 540d7c53d63c7ff3619f99f12aac0afe
SHA1 69693e13c171433306fb5c9be333d73fdf0b47ed
SHA256 3062bd1f6d52a6b830dbb591277161099dcf3c255cff31b44876076069656f36
SHA512 ce37439ce1dfb72d4366ca96368211787086948311eb731452bb453c284ccc93ccecef5c0277d4416051f4032463282173f3ec5be45e5c3249f7c7ec433f3b3e

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 77e9c54da1436b15b15c9c7e1cedd666
SHA1 6ce4d9b3dc7859d889d4ccd1e8e128bf7ca3a360
SHA256 885bd4d193568d10dd24d104ccf92b258a9262565e0c815b01ec15a0f4c65658
SHA512 6eecf63d3df4e538e1d2a62c6266f7d677daebd20b7ce40a1894c0ebe081585e01e0c7849ccdf33dd21274e194e203e056e7103a99a3cd0172df3ed791dce1c2

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 b8bce84b33ae9f56369b3791f16a6c47
SHA1 50f14d1fe9cb653f2ed48cbb52f447bdd7ec5df4
SHA256 0af28c5c0bb1c346a22547e17a80cb17f692bf8d1e41052684fa38c3bbcbb8c8
SHA512 326092bae01d94ba05ecec0ea8a7ba03a8a83c5caf12bef88f54d075915844e298dba27012a1543047b73b6a2ae2b08478711c8b3dcc0a7f0c9ffabba5b193cf

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll

MD5 769bf2930e7b0ce2e3fb2cbc6630ba2e
SHA1 b9df24d2d37ca8b52ca7eb5c6de414cb3159488a
SHA256 d10ff3164acd8784fe8cc75f5b12f32ce85b12261adb22b8a08e9704b1e5991a
SHA512 9abdcccc8ee21b35f305a91ea001c0b8964d8475680fa95b4afbdc2d42797df543b95fc1bcd72d3d2ccc1d26dff5b3c4e91f1e66753626837602dbf73fc8369b

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll

MD5 c9649c9873f55cb7cdc3801b30136001
SHA1 3d2730a1064acd8637bfc69f0355095e6821edfd
SHA256 d05e1bd7fa00f52214192a390d36758fa3fe605b05a890a38f785c4db7adef1f
SHA512 39497baa6301c0ad3e9e686f7dfa0e40dbea831340843417eecc23581b04972facc2b6d30173cc93bf107a42f9d5d42515ef9fd73bb17070eb6f54109dc14e3e

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll

MD5 13b358d9ecffb48629e83687e736b61d
SHA1 1f876f35566f0d9e254c973dbbf519004d388c8d
SHA256 1cf1b6f42985016bc2dc59744efeac49515f8ed1cc705fe3f5654d81186097cd
SHA512 08e54fa2b144d5b0da199d052896b9cf556c0d1e6f37c2ab3363be5cd3cf0a8a6422626a0643507aa851fddf3a2ea3d42a05b084badf509b35ec50cb2e0bb5ce

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll

MD5 8fd05f79565c563a50f23b960f4d77a6
SHA1 98e5e665ef4a3dd6f149733b180c970c60932538
SHA256 3eb57cda91752a2338ee6b83b5e31347be08831d76e7010892bfd97d6ace9b73
SHA512 587a39aecb40eff8e4c58149477ebaeb16db8028d8f7bea9114d34e22cd4074718490a4e3721385995a2b477fe33894a044058880414c9a668657b90b76d464f

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 e46bc300bf7be7b17e16ff12d014e522
SHA1 ba16bc615c0dad61ef6efe5fd5c81cec5cfbad44
SHA256 002f6818c99efbd6aee20a1208344b87af7b61030d2a6d54b119130d60e7f51e
SHA512 f92c1055a8adabb68da533fe157f22c076da3c31d7cf645f15c019ce4c105b99933d860a80e22315377585ae5847147c48cd28c9473a184c9a2149b1d75ee1b1

C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll

MD5 0fb91d94f6d006da24a3a2df6d295d81
SHA1 db8ae2c45940d10f463b6dbecd63c22acab1eee2
SHA256 e08d41881dbef8e19b9b5228938e85787292b4b6078d5384ba8e19234a0240a8
SHA512 16d16eb10031c3d27e18c2ee5a1511607f95f84c8d32e49bbacee1adb2836c067897ea25c7649d805be974ba03ff1286eb665361036fd8afd376c8edcfabd88c

C:\Program Files\CCleaner\CCleaner64.exe

MD5 049c362975252b6a2d997a6b72d37bcc
SHA1 cb2766a228f5afe4a886e001fcce03ccebc2d30b
SHA256 4bdf21db063d16f7e20f59113276d1dee1cdbebcef30d42d777d9b90c7830810
SHA512 8075a71b5fe374061b675490883ba07b14c39372042779dd7f6d7498146cdc695d25a13a70fbf58f77a96b0ab962d7ba21bba67dcb8bb43320eefe736c809495

C:\Windows\Temp\asw.600fbdb3f73e41a0\servers.def

MD5 6685e1a7edfaf040ce933daaa271b33f
SHA1 b1bfca6f357cc75b10d2b59f228da51097c02d15
SHA256 842b0d709b81589d1ee5f24f421e531f512e46bc0b770b97afd2774a45ec7a97
SHA512 4f958804cbd1ff13b29a5539400ba3263d03e434d59365727997f7dd9bf5f6f61a6fa77d869eeb0f3b33b3f1f7fa76bd1ee5c26b055d2446640ba761507c72e2

C:\Program Files\CCleaner\Setup\9ea8ef9b-2ff0-4ce0-952a-8ba7011d2f32.ini

MD5 2af9f69df769f876f6e02da18e966020
SHA1 5d21312d9bd23a498a294844778c49641a63d5e2
SHA256 473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c
SHA512 a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

C:\Program Files\CCleaner\CCUpdate.exe

MD5 943a4f169e9a3303ed6defc1ac3690bd
SHA1 e0bd76b866624164c10b85d37efb6474b84164df
SHA256 e531742a357907248de84b99f68ed7e8edd70e7ca918d21b24cc17ee4c128240
SHA512 da29cafdd63fd3ab3d2378fc6c2810d7579ebd6b62a4f99248458094cd2e42dc0071b83f0aee4185ca1c81139dec2991212ac383d77a737937558bbcb29d688c

C:\Program Files\CCleaner\Setup\47e6e061-bd1c-44a6-a9a5-7c9a034dea6d.dll

MD5 fe6f58fb55d9a93502528c3c9bb13a3f
SHA1 516275dddbc9e2f056342201b03a0931d93a6239
SHA256 c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348
SHA512 7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

C:\Users\Admin\AppData\Local\Temp\asw532794916eb70bc0.tmp

MD5 28d6814f309ea289f847c69cf91194c6
SHA1 0f4e929dd5bb2564f7ab9c76338e04e292a42ace
SHA256 8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
SHA512 1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0TMTGKUUR3HHMJK6GUTA.temp

MD5 fe634b5357c7da48ec871fc9e7efd2f5
SHA1 a98f26b6d258bc75c2b9847b102418fb976fcfe0
SHA256 2f697bfcb02170c8bd345cb6776c386a3a70b5f53607a88068768ca266d3724b
SHA512 f00c9a79265e2382768b7bf947f9d4e2a0b5a0fed20747c07e6e37505c3eaaf3fc09287c28f27ce68a1bb7362b3391d76f561350a1c77dbffb2ea2daeb60c527

C:\Program Files\CCleaner\Setup\ac3b7a7d-b7cf-4223-9f1a-04cb7f3b6015.xml

MD5 6ad0f19133a68767b6187d43fbdcd59f
SHA1 406db6cc186c7fe614a095f0531910f3dfd2ace3
SHA256 2e56643e5712bbd9ec0eb306477e74ecb032b68be08586c73372c91e8ca8f8db
SHA512 06f43f147a617d3cc0515b63c447471db71563eac28fb246044f5a7ffd73f346474c75c5f0f5be7fa4a7c4b3a06e53592da30ec168fca49e56d8e8ce33217312

C:\Program Files\CCleaner\Setup\2d777b1f-a2be-4598-aad4-00bffac2ba72.cab

MD5 57064571a830381739b064c372666cf7
SHA1 dae1806f449f47007fae40c9021ea04d6509e683
SHA256 c9246a8fddabe354e0ec7e18a8a255245159a4794dfb639db3b5f6d5cc71f67b
SHA512 7fd3d474229ca1702198623e904f0707d2d85a017853a9db9fe43ddc0e276c7898d7b5bed6089f0ee05bc5773582e1a0a6761e4a822645f975d5afedb6a83727

C:\Program Files\CCleaner\Setup\9433228d-1db9-4912-b05a-ac4686f7ac00\ccleaner_update_helper.exe

MD5 7512e34c7676b39a0edcf0136955b272
SHA1 27456aa529ed5d6baee4682433a22681f6d10ae0
SHA256 9fa577f299bf03b769f8d46c6172732c0af3b89261e3586ebcaae5379757afe2
SHA512 4472867cdef420c5dc7d2663d0b607840d2550f75093764edf8d24ad62ed635090166657916b333af5a6ffa21a30ba22c80dcf5fe84e84098d8c086b6fbc15d9

C:\Windows\Temp\asw.600fbdb3f73e41a0\aswb7bf11fa5fb53db4.ini

MD5 8d65ac4eacee803947b1f649eb78da65
SHA1 c986ff079fef89005285e625cb22c5ea109bd3fc
SHA256 fe6678201b725e7f3e72e617e521d9f967907cf0a9f341c6fd82fa404ff6060d
SHA512 9430f6dfad67580d3eab7f9ddee2840b7c50069b30b2ddf68c4d308bee71f03a81aa4474c12195f98ffae6d55f07aba539ba44d7b501944c9eb66bb80226c5e0

C:\Windows\Temp\asw.600fbdb3f73e41a0\config.def

MD5 e856a5cf419eddf97a1cf4fd0a151676
SHA1 daec2646bec74a5025790aef629792122329bd70
SHA256 2b1c3030048d53a6d82f2316ad5a3544cb117dd5e579daeac372ec564d135dbb
SHA512 4a064684724db203d433d848efcc4a2bb44758182e351e9d1551d535d73eeed0be705df1f3c5eee03babcfce100ad8832bd7d384ad56db7a15d42057ad1a1b4f

C:\Windows\Temp\asw.600fbdb3f73e41a0\servers.def.vpx

MD5 68fa59ad1f9f4f9c9bb28b865e09518c
SHA1 5264ddce5171dbb3d8639fc3b2796d2043f0714d
SHA256 6f9fffe858e1631105c8432f785acdde98cf61b9ab657a9f3b6a21daf37f9230
SHA512 07e0d192119656867797a4f55836975a0dcf01bf7de096569e72c34b1ae2efdfcd1622ade600b3f46c5579cc84517adc694a6e6a5d283396b7d9dcf6d261162f

C:\Windows\Temp\asw.600fbdb3f73e41a0\prod-pgm.vpx

MD5 999754d694d00b2319ebc83bad47ad55
SHA1 1f4a09d7506648b5f257dc3bf5fbe6629d85d1ba
SHA256 a44174fe5fae6797f814c6b0f34a7a40967247abea3f8ac3c2e053d75778402d
SHA512 5f035e60b0f58d988af62b3c245a5bbb2c364df3e65255f37743fddf5d357ba5515eb4bdb1bf95e922dbc994f031da6e84ed26b3ee884863efd5d4854547b59d

C:\Windows\Temp\asw.600fbdb3f73e41a0\part-setup_ais-15020c62.vpx

MD5 d5b798d8816b252e7d718195dfeb8a8c
SHA1 860c5807fd491aeeb12d661d8cf2ecca4ca1639b
SHA256 75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499
SHA512 16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw73f81cbc05eb35e6.tmp

MD5 bbb61ad0f20d3fe17a5227c13f09e82d
SHA1 01700413fc5470aa0ba29aa1a962d7a719a92a82
SHA256 39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e
SHA512 c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw6641af0622d4bfb1.tmp

MD5 43dc9e69f1e9db4059cf49a5e825cfda
SHA1 519298f8a681b41d2d70db2670cc7543f1ee6da4
SHA256 98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d
SHA512 d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\aswea811c1daa5af8ee.tmp

MD5 c545527e69a46359a4a45f58794a0fe5
SHA1 e233e5837bfe5d1429300fb33f12f5b54689781b
SHA256 8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9
SHA512 754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw8886d18fc33cbb95.tmp

MD5 917a284494cbe4a4ec85e1ec768339c9
SHA1 47ccc0a04ecc7c3c1ff79bf42d424cfda356137c
SHA256 57cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772
SHA512 90849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw26b1c831aa04ddc0.tmp

MD5 ce4d45d0b684f591d5a83fdbd99bd306
SHA1 e89637b905c37033950afadaca2161bd5b09fb5e
SHA256 907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7
SHA512 af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw340f0cdd3a6d0068.tmp

MD5 e38cc92cd980a55d811316ac62883e14
SHA1 fa83737abe11ee825c3da6843cc4d8e3b459729a
SHA256 be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87
SHA512 1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16

C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw5c35f906baff825a.tmp

MD5 0b830444a6ef848fb85bfbb173bb6076
SHA1 27964cc1673ddb68ca3da8018f0e13e9a141605e
SHA256 63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f
SHA512 31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65

C:\Windows\Temp\asw.600fbdb3f73e41a0\uat_2424.dll

MD5 d4cb0514285ec27a18ac6e74159fb695
SHA1 3b5d445c2162c3723ae73e3bf6cf3acf37019d5e
SHA256 8f204d870ec74423be8c7f05b9822392eb9f675c676ac8646e944645a5e9aa0f
SHA512 25ce4398012d86eed44a66cd96cd3790df05c44d8480b4ee5c702ef5e005950cace265ea2a65fe5fc25a49d93f1a5eaabd28b6fc350428baccbc141bd69b2988

C:\Windows\Temp\asw.600fbdb3f73e41a0\part-prg_ais-15020c62.vpx

MD5 29b9bfd25fabf42939e3a6877f9b3ece
SHA1 c30d865bc2d680311c68eb0bed0e356845f700f9
SHA256 ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475
SHA512 a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e

C:\Windows\Temp\asw.600fbdb3f73e41a0\prod-vps.vpx

MD5 c7808c541592cb19ea55a45427504972
SHA1 1af323567a609dce0733ed85bd5e611d97eff7ec
SHA256 248952b02b67bbb9d55484c17c6fbd713d8999f70627447db0d9e85e7f3ca553
SHA512 8ec245476a10855cea0a5b128a95197d3884ee07d4658e06a445ffce49d296dff1ce4051dcd951e8ffa404fda30809a5eefe0eb8aa662d283bfa40a000a888a3

C:\Windows\Temp\asw.600fbdb3f73e41a0\part-jrog2-1511.vpx

MD5 2236a86ed0d74ec79fd23b6f5b2154ee
SHA1 c66a3c4e8468f67c5ee533b635c44bb7976a71b6
SHA256 ef78f2393ae47a38ae982bc80fb40dbfaea959a6c9651668cfddc2d36607c454
SHA512 cbfd8d4996faada54ffde7cefc516a17b8a9f96c31a54a45b32897c3a73b24925dbc6a5ecb8ecd491d5b717bd099674e885b42b67772aab4d218a132d172a124

C:\Windows\Temp\asw.600fbdb3f73e41a0\part-vps_windows-24101106.vpx

MD5 52881e8aef1e3baf82d97d7cf07415a4
SHA1 29ee4f99131e3900cd295142f8768d8940975193
SHA256 fefab9fefd8fe5568b551292ed380c83dac5c0b1fc569c543c3f183bac9a4824
SHA512 25fc1e232c63108df884d53953b1e93a16930ee5a8191f9f87f7797935de25ca0a7e359b106ebf43fb3917cf54f2f31b400c1c82404bce87b463a5c7c175a72d

C:\Windows\Temp\asw.600fbdb3f73e41a0\config.def

MD5 e90f84da07ae432357d9b6a5c523504c
SHA1 3ccc3af60fcb2fe3165dc1da23cb39f6c72f9340
SHA256 4b399af720ab7db85d6e6cf820ca2d5b3acb9c149918bd316ba6fc731fbedbfc
SHA512 dd4c56c1679bc280159dc4d99f6665b6950b7b52d73c7a8d756e13f831f5e6e62c774704d5053ef042c3e3569ad21dd6985e3a556301650fdc6fbc8942c0092b

C:\Program Files\AVG\Antivirus\setup\Stats.ini

MD5 34337a7f370b1d4ddaeaaff526943c28
SHA1 24d6495b565bd50f83088c51ea06061172948c2c
SHA256 5bead349d8b4b7648230b7459c275e03c4fb29a92db9bf24391cc2f77a44f847
SHA512 463921c5b86b61c38cbeee6d97fb00a8956f4ba4396bf8f0a7f09e744eee44e72c1f85b09aa5c05994d41c0e24ce7aada75040ab159a60f6ca6d7d5860bfa7ba

C:\Program Files\AVG\Antivirus\setup\Stats.ini

MD5 eed5118a000dbea298af82081b1887d6
SHA1 265972019e59d9423ff52a9bfde436b361d10432
SHA256 245297246e8cc3e5f2ec070402517e6d7a52426e34b5a89d35ad307e14138ce0
SHA512 40ad5f9e00ea65cddd77da2ba1b9983e5b6d43ff40dc794536d2557bc44a279b2bd6321809f020619e9be4a6f107a381b166e07eba313b6560f75d4de229d110

C:\Program Files\AVG\Antivirus\setup\ais_avg_crt_x86-7d5.vpx

MD5 776c702244f080a64ee0769e4115806b
SHA1 1c75f4d486e56dd9902e778392afdd7ae4027bc6
SHA256 183c0c047612f225bec9ef90094385efb204b5743a2492f6c574f2eae778aefe
SHA512 1d1e80c72550435ac4d60eaa7357c200658811991e817b9baf8c1c305845410874b5b4867552455ebcb3f7c6cc3318ee4a85d679a3d049c3a7ab5d6493651995

C:\Program Files\AVG\Antivirus\setup\ais_cmp_bpc-7cc.vpx

MD5 370fb8113ca63fa92f7037df74050faf
SHA1 2ed9d4164c5dafbd38dc0dee0f3edf7ccabfe411
SHA256 79421461dd25e721147e2e676b0c33c5fc3897126bb5f700e8f60e0d34175ce4
SHA512 c197ad2368d138af4f0f220ffa16d47e29bbe8456e19bd097ac3fbf16fd47439218a77546312d5eeb356f7fe6ab5ecdc16f010710b1b89f75f6175a6632c3909

C:\Program Files\AVG\Antivirus\setup\ais_cmp_datascan_x64-82e.vpx

MD5 dfb14bc06277ac67224bba3003fc0346
SHA1 816c68c5489945b99dec636d7f7b13d10f732cc4
SHA256 3b50c86e7f04de527544c097fd2dfc9111c351f7fb3507fe8105cb899f69a1f5
SHA512 76957d380dd4c612c634ceb660a28d872182be35979155be0cde4f618677fe0fa31cc5d7bc7f768f5fdb0a2af33163e94950dec836cc09281dad13227c06c68e

C:\Program Files\AVG\Antivirus\setup\ais_dll_eng-818.vpx

MD5 953cc8dab407cc320911adb8358fcd49
SHA1 4ecd20b724ca5718b87d2cd27745003902df2534
SHA256 748a4fda0713ac82afedd5c2f90848fbb743772f4c6268e70ee65285bbc48c7a
SHA512 ecb068dfb5334ecada79e0eee629bc7d4a10bf3fc7ec0044f8747e7137f65f466f5d0d6a0bc5ad9af0c6748b695a153baf431888e1df32433d8276c44b824174

C:\Program Files\AVG\Antivirus\setup\ais_dll_eng_x64-82e.vpx

MD5 a469beb68e45ce02e4e541744a95783d
SHA1 32d05acc7b266fced0a014ad07843625b1908d1a
SHA256 ea9301a1fa0ed024ba39947e9a76822c52c978397d25d0edca66d234ca012a8a
SHA512 a1bd6a24ceb0fdd07a13baae4e0a1b98ab22fe702cac4cc5f8acf182ba28879ba6c27c2b66a44a77261b16b5aec5608e0a2f18f62ee6f416a9baeb88bbb8a8df

memory/2424-1642-0x000007FEF26D0000-0x000007FEF39F6000-memory.dmp

C:\Program Files\AVG\Antivirus\setup\ais_gen_protobuf_x64-7d0.vpx

MD5 c8c85dcc856b13655d5545152f06813e
SHA1 2f54faa811dc8ec09ece27b09c20d6f4d19c4902
SHA256 6019fb4816f72279ca066066a6ae142045dbafb518c37b0d3f04d486e13bb5db
SHA512 5e033cb69ece704f00b7ca9df37ab691571e77eda7bcbc3af10fbf61613a97308ff7db60a8fb669c054df1c51b0757747fc40d43e39fc9a8dd2862504dca83c2

memory/2424-1695-0x000007FEF26D0000-0x000007FEF39F6000-memory.dmp

C:\Program Files\AVG\Antivirus\setup\ais_res-876.vpx

MD5 9f33fe6a5fb6ab1f6947aabe92dd9810
SHA1 f85d0a741c723abd106f7aa06f10e42ab633370d
SHA256 4992fa3740a87268f19669c71725dee815da881875c6fc697b3ee12a9053ee92
SHA512 e79b307ec5d999c442e76e130a54a1d3bf2a1f33d35789331f83752f93d63de34bc9304348c6494b95f01b1c5928bdccbcbe92097b7535fd37c9f90eef3b6650

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 21:37

Reported

2024-10-11 21:40

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A

Downloads MZ/PE file

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe

"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 res.ldrescdn.com udp
GB 163.181.154.240:443 res.ldrescdn.com tcp
US 8.8.8.8:53 dagswotxcmrj6.cloudfront.net udp
FR 18.164.55.221:443 dagswotxcmrj6.cloudfront.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 221.55.164.18.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 d1odpp2eg70dto.cloudfront.net udp
GB 3.162.19.198:443 d1odpp2eg70dto.cloudfront.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
GB 3.162.19.198:443 d1odpp2eg70dto.cloudfront.net tcp
US 8.8.8.8:53 198.19.162.3.in-addr.arpa udp
US 8.8.8.8:53 middledata.ldplayer.net udp
SG 8.219.4.49:443 middledata.ldplayer.net tcp
US 8.8.8.8:53 49.4.219.8.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

MD5 f45a92aba92be451667f7771edecdd32
SHA1 bb8496d04363a8ae818a9b3efc0fbcc1ba893f78
SHA256 22e95eb59a7cb402fadc1783c7f3c613aa18ebd09480e30f4a6557df8d066b26
SHA512 a6d734db225021487df46b2f62fb7a71883e2aa8837eb0097082510d8f01b519842cd26700ce84f2e2fd9012cb396ea894123d31a0e3e22636ecb859f68010af

memory/2692-12-0x0000000006E20000-0x0000000006E30000-memory.dmp

memory/2692-13-0x000000007284E000-0x000000007284F000-memory.dmp

memory/2692-18-0x00000000730F0000-0x0000000073104000-memory.dmp

memory/2692-17-0x0000000006DE0000-0x0000000006DF4000-memory.dmp

memory/2692-19-0x0000000009BC0000-0x000000000A164000-memory.dmp

memory/2692-20-0x00000000098F0000-0x0000000009982000-memory.dmp

memory/2692-26-0x0000000003800000-0x0000000003844000-memory.dmp

memory/2692-27-0x0000000006A00000-0x0000000006A9C000-memory.dmp

memory/2692-28-0x000000000A7A0000-0x000000000A806000-memory.dmp

memory/2692-29-0x000000000AD40000-0x000000000B26C000-memory.dmp

memory/2692-30-0x0000000006E20000-0x0000000006E30000-memory.dmp

memory/2692-31-0x000000007284E000-0x000000007284F000-memory.dmp