Analysis Overview
SHA256
f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a
Threat Level: Likely malicious
The file LDPlayer9_pt_1552109_ld.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Manipulates Digital Signatures
Creates new service(s)
Modifies file permissions
Downloads MZ/PE file
Checks for any installed AV software in registry
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Launches sc.exe
Executes dropped EXE
Drops file in Windows directory
Drops file in Program Files directory
Checks installed software on the system
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Checks processor information in registry
Modifies system certificate store
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Modifies registry class
Runs net.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 21:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 21:37
Reported
2024-10-11 21:40
Platform
win7-20240903-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Creates new service(s)
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner PostInstall = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\"" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ccleaner_update_helper = "C:\\Program Files\\CCleaner\\ccleaner_update_helper.exe" | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\AVG\\Antivirus\\setup\\instup.exe\" /instop:repair /wait" | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
Downloads MZ/PE file
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayer9box\VBoxAuthSimple.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\Lang\lang-1071.dll | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File opened for modification | C:\Program Files\ldplayer9box\Ld9BoxSup.cat | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\ossltest.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcp100.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\capi.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxStub.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\Lang\lang-1031.dll | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\ucrtbase.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\Lang\lang-1068.dll | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File opened for modification | C:\Program Files\AVG\Antivirus\setup\setgui_x64_ais-c62.vpx | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\ucrtbase.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\fastpipe.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\AVG\Antivirus\setup\Stats.ini | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qoffscreen.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\AVG\Antivirus\setup\instcont_x64_ais-c62.vpx | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\AVG\Antivirus\setup\ais_dll_eng-818.vpx | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcr120.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxProxyStub.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\GLES12Translator.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\Lang\lang-1066.dll | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxBugReport.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDD.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\libwalocal.dll | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File opened for modification | C:\Program Files\AVG\Antivirus\setup\ais_gen_core_x64-82e.vpx | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetLwfInstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\libssl-1_1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\Lang\lang-1026.dll | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File opened for modification | C:\Program Files\CCleaner\Setup\9433228d-1db9-4912-b05a-ac4686f7ac00\update.xml | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SUPLoggerCtl.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\regsvr32_x64.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMMPreload.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-filesystem-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\Lang\lang-3098.dll | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File created | C:\Program Files\CCleaner\Setup\9ea8ef9b-2ff0-4ce0-952a-8ba7011d2f32.ini | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| File opened for modification | C:\Program Files\AVG\Antivirus\setup | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\padlock.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\GLES_V2_utils.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\Lang\lang-1155.dll | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File created | C:\Program Files\CCleaner\CCleanerReactivator.exe | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| File created | C:\Program Files\CCleaner\Setup\ac3b7a7d-b7cf-4223-9f1a-04cb7f3b6015.xml | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxCAPI.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\ccleaner_update_helper.exe | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetAdpInstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\concrt140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\vcruntime140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\CCleaner\Setup\9433228d-1db9-4912-b05a-ac4686f7ac00\update.xml | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| File created | C:\Program Files\ldplayer9box\dasync.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| N/A | N/A | C:\Program Files\CCleaner\CCleaner64.exe | N/A |
| N/A | N/A | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| N/A | N/A | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\sbr.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dism.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\CCleaner\CCUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\Brandover = "0" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_000_003_a" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_000_003_a" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\Brandover = "0" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\Brandover = "0" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_000_003_a" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Piriform | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Piriform | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\Language = "1033" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\AutoICS = "1" | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "6" | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ = "IEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\NumMethods\ = "15" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\NumMethods\ = "35" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\NumMethods\ = "48" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\NumMethods\ = "31" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E1B7-4339-A549-F0878115596E}\NumMethods\ = "13" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CLSID\ = "{20191216-26c0-4fe1-bf6f-67f633265bba}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ = "INATNetworkAlterEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}\NumMethods\ = "15" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C}\NumMethods\ = "14" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "7" | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\ = "IGuestFsObjInfo" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Checking install conditions" | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "100" | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ = "ICertificate" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\ = "IMachineRegisteredEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\"" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-9641-4397-854A-040439D0114B} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\ = "IMachineDataChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7F29-4AAE-A627-5A282C83092C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1}\NumMethods\ = "47" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe" | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}\ = "IDHCPGroupCondition" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\ = "IUSBDeviceStateChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\NumMethods\ = "13" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-2354-4267-883F-2F417D216519}\NumMethods\ = "18" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\ = "ISnapshotEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\NumMethods\ = "17" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "32" | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Ld9BoxSVC.exe | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4974-A19C-4DC6-CC98C2269626} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-477A-2497-6759-88B8292A5AF0}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "0" | C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_shl_mai_x64-82e.vpx" | C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe" /silent /ws /psh:M75AarZWOXk5euABSMS5OuhJVR2McXrmn56bvqLefA1jykVfN6PwKrbWRA9nJ53y7aMRLQINRVJYFtYR8u78J38
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1552109 -language=pt -path="C:\LDPlayer\LDPlayer9\"
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\ccsetup627_slim.exe" /S /PI=LS
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=262622
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe
"C:\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe" /silent /ws /psh:M75AarZWOXk5euABSMS5OuhJVR2McXrmn56bvqLefA1jykVfN6PwKrbWRA9nJ53y7aMRLQINRVJYFtYR8u78J38 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:b45ed484-1c73-45fa-a40c-efa53b51f704 /edat_dir:C:\Windows\Temp\asw.e126430a5e325bd9
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe
"C:\Windows\Temp\asw.600fbdb3f73e41a0\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.600fbdb3f73e41a0 /edition:15 /prod:ais /stub_context:beff7248-57ce-4fa5-8e39-a5b692798ae8:11128544 /guid:5511e0b7-2a07-4f4b-8ff3-b7be885dfc0b /ga_clientid:b45ed484-1c73-45fa-a40c-efa53b51f704 /no_delayed_installation /silent /ws /psh:M75AarZWOXk5euABSMS5OuhJVR2McXrmn56bvqLefA1jykVfN6PwKrbWRA9nJ53y7aMRLQINRVJYFtYR8u78J38 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:b45ed484-1c73-45fa-a40c-efa53b51f704 /edat_dir:C:\Windows\Temp\asw.e126430a5e325bd9
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\47e6e061-bd1c-44a6-a9a5-7c9a034dea6d.dll"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe
"C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.600fbdb3f73e41a0 /edition:15 /prod:ais /stub_context:beff7248-57ce-4fa5-8e39-a5b692798ae8:11128544 /guid:5511e0b7-2a07-4f4b-8ff3-b7be885dfc0b /ga_clientid:b45ed484-1c73-45fa-a40c-efa53b51f704 /no_delayed_installation /silent /ws /psh:M75AarZWOXk5euABSMS5OuhJVR2McXrmn56bvqLefA1jykVfN6PwKrbWRA9nJ53y7aMRLQINRVJYFtYR8u78J38 /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.e126430a5e325bd9 /online_installer
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\sbr.exe
"C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\sbr.exe" 2424 "AVG Antivirus setup" "AVG Antivirus is being installed. Do not shut down your computer!"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | res.ldrescdn.com | udp |
| GB | 163.181.154.241:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | dagswotxcmrj6.cloudfront.net | udp |
| FR | 18.164.55.225:443 | dagswotxcmrj6.cloudfront.net | tcp |
| GB | 163.181.154.241:443 | res.ldrescdn.com | tcp |
| GB | 163.181.154.241:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | d1odpp2eg70dto.cloudfront.net | udp |
| GB | 3.162.19.198:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| GB | 3.162.19.198:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| GB | 163.181.154.241:443 | res.ldrescdn.com | tcp |
| GB | 163.181.154.241:443 | res.ldrescdn.com | tcp |
| GB | 163.181.154.241:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | d1odpp2eg70dto.cloudfront.net | udp |
| GB | 3.162.19.100:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| GB | 3.162.19.100:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| US | 8.8.8.8:53 | v7event.stats.avast.com | udp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | iavs9x.avg.u.avcdn.net | udp |
| GB | 2.19.117.97:443 | iavs9x.avg.u.avcdn.net | tcp |
| US | 34.117.223.223:80 | v7event.stats.avast.com | tcp |
| US | 8.8.8.8:53 | apipt.ldmnq.com | udp |
| CZ | 65.9.95.82:443 | apipt.ldmnq.com | tcp |
| CZ | 65.9.95.82:443 | apipt.ldmnq.com | tcp |
| CZ | 65.9.95.82:443 | apipt.ldmnq.com | tcp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| CZ | 65.9.95.82:443 | apipt.ldmnq.com | tcp |
| CZ | 65.9.95.82:443 | apipt.ldmnq.com | tcp |
| GB | 2.19.117.97:443 | iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:443 | iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:443 | iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 8.8.8.8:53 | service.piriform.com | udp |
| GB | 23.218.79.229:443 | service.piriform.com | tcp |
| GB | 2.19.117.97:443 | iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | license.piriform.com | udp |
| GB | 23.218.79.229:443 | license.piriform.com | tcp |
| US | 8.8.8.8:53 | shepherd.ff.avast.com | udp |
| US | 34.160.176.28:443 | shepherd.ff.avast.com | tcp |
| GB | 2.19.117.97:80 | iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| US | 8.8.8.8:53 | ip-info.ff.avast.com | udp |
| US | 8.8.8.8:53 | ip-info.ff.avast.com | udp |
| US | 8.8.8.8:53 | ip-info.ff.avast.com | udp |
| US | 34.111.175.102:443 | ip-info.ff.avast.com | tcp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 34.160.176.28:443 | shepherd.avcdn.net | tcp |
| US | 8.8.8.8:53 | emupdate.avcdn.net | udp |
| US | 8.8.8.8:53 | emupdate.avcdn.net | udp |
| US | 8.8.8.8:53 | emupdate.avcdn.net | udp |
| GB | 2.19.117.107:80 | emupdate.avcdn.net | tcp |
| US | 8.8.8.8:53 | ccleaner.tools.avcdn.net | udp |
| US | 8.8.8.8:53 | ccleaner.tools.avcdn.net | udp |
| US | 8.8.8.8:53 | ccleaner.tools.avcdn.net | udp |
| GB | 2.19.117.102:80 | ccleaner.tools.avcdn.net | tcp |
| US | 8.8.8.8:53 | ip-info.ff.avast.com | udp |
| US | 8.8.8.8:53 | ip-info.ff.avast.com | udp |
| US | 34.111.175.102:443 | ip-info.ff.avast.com | tcp |
| GB | 216.58.213.14:80 | www.google-analytics.com | tcp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | d7509631.iavs9x.avg.u.avcdn.net | udp |
| US | 8.8.8.8:53 | d7509631.iavs9x.avg.u.avcdn.net | udp |
| GB | 2.19.117.97:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.93:80 | p5846494.iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | k8136955.iavs9x.avg.u.avcdn.net | udp |
| US | 8.8.8.8:53 | k8136955.iavs9x.avg.u.avcdn.net | udp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | d7509631.avi18.u.avcdn.net | udp |
| US | 8.8.8.8:53 | d7509631.avi18.u.avcdn.net | udp |
| GB | 2.19.117.85:80 | l9346865.avi18.u.avcdn.net | tcp |
| GB | 2.19.117.85:80 | l9346865.avi18.u.avcdn.net | tcp |
| GB | 2.19.117.85:80 | l9346865.avi18.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 34.160.176.28:443 | shepherd.avcdn.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | alpha-license-dealer.ff.avast.com | udp |
| BE | 34.140.0.190:443 | alpha-license-dealer.ff.avast.com | tcp |
| US | 8.8.8.8:53 | alpha-iqs.ff.avast.com | udp |
| BE | 34.76.203.183:443 | alpha-iqs.ff.avast.com | tcp |
| BE | 34.76.203.183:443 | alpha-iqs.ff.avast.com | tcp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| GB | 2.19.117.85:80 | l9346865.avi18.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| GB | 2.19.117.97:80 | s5445469.iavs9x.avg.u.avcdn.net | tcp |
| GB | 2.19.117.85:80 | l9346865.avi18.u.avcdn.net | tcp |
| GB | 2.19.117.85:80 | l9346865.avi18.u.avcdn.net | tcp |
| GB | 2.19.117.85:80 | l9346865.avi18.u.avcdn.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | f45a92aba92be451667f7771edecdd32 |
| SHA1 | bb8496d04363a8ae818a9b3efc0fbcc1ba893f78 |
| SHA256 | 22e95eb59a7cb402fadc1783c7f3c613aa18ebd09480e30f4a6557df8d066b26 |
| SHA512 | a6d734db225021487df46b2f62fb7a71883e2aa8837eb0097082510d8f01b519842cd26700ce84f2e2fd9012cb396ea894123d31a0e3e22636ecb859f68010af |
memory/1652-11-0x0000000004F30000-0x0000000004F70000-memory.dmp
memory/1652-12-0x0000000073B5E000-0x0000000073B5F000-memory.dmp
memory/1652-16-0x0000000002C80000-0x0000000002C94000-memory.dmp
memory/1652-17-0x0000000074310000-0x0000000074324000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCB6C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCBAD.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0b029aebef49a397df6d0f9d66c4d30 |
| SHA1 | 83cec6c5f38d329183fc40d03aff17d4316863d8 |
| SHA256 | 7919d43608d007bdc9bca78f31a9aab560bcc365d5edd6887ab0266861a041ae |
| SHA512 | bbe2546228c8069e64bc505837fe639f3c89931b1d5e3dd6db75f3bc5a80fcae30256dae056a76db8723d4ccc5693e6c89d316ee1e50be25e4566e7ab380bfc8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2402fdf54ed777db478310baf56e2b98 |
| SHA1 | 4530662808978e4481e4fe9647934775c126067f |
| SHA256 | b0fa2e68dc3e5c1a6b35e119c5514765c9e4339190acbb792f72e8b7ad855a9d |
| SHA512 | e8a7327acbd0940027f28d692132dfe47dde0dc52ede01b676ab80e63949fb0d3c006b570499d404d4a7ffa56572fff22ab84dfe686fa0825008b536be99d9a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 514d4e4869dbbb6694b8711caae237aa |
| SHA1 | 7ca10a911079bca772f42affed75c5797790af5d |
| SHA256 | 64fe068e395e25271346dbc51c4681d0f4c981a926e13aaf57f4d13778a9a744 |
| SHA512 | 9dc36c5fe92276738c587c82380abedd7826ffe648689b43e1d4036d4cc3d243f4cc5f596e77e26197a4006a0beb9e2a89b4802eb9febe0fffa7e51704014474 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | aad14704cd5f3148c87b5d5073df1f54 |
| SHA1 | 2d39caac86bb2caed91d22d68218cdb603712185 |
| SHA256 | 16f7767fed3f0ee6e26aae67a5a91825cd041df8138d29b2306722b6150919dc |
| SHA512 | 0fb040834ce32931802c0fdefc13542287ab60be4c571ff7243c0e1d4aeb41e1c9117398ae8449bffc61be063fefcbc83092b0f56155b0ff0c2b4b672f08d6f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | c5dfb849ca051355ee2dba1ac33eb028 |
| SHA1 | d69b561148f01c77c54578c10926df5b856976ad |
| SHA256 | cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b |
| SHA512 | 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0a6c4708f7c82cfae5b5ab077808190f |
| SHA1 | 282b97871455a9a8ddc96bfb8eeabdafdfc2d014 |
| SHA256 | a13163940a9472d9b5e4938dbec890b92ac206e24e44de8d67a78f6c864e2cfb |
| SHA512 | 72da965607921a7efd212b6c771dcc315bccbf0019d83c74e233e8baaeed9680696386f9fbb773ae4d2aac6f854914741ed5920118d91d83379c7a930bd68562 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae34c35337dc1ecb70a7553473878bec |
| SHA1 | c3a5a8ee5f8cf0c64b5f27580642792122358daf |
| SHA256 | abbad434e02f2f5b72e84d463aef464b825fc40d52ae1ea1798d073f87102d18 |
| SHA512 | 7254db55b075b45cee40391ba2c0f490d3076a87161a4c6cdea9a7dda80d9feb06953faaf908530dbf28481d9614b7b41b144ccd4d37acf6bd01627f68d0e023 |
memory/1652-291-0x0000000002DE0000-0x0000000002E24000-memory.dmp
memory/1652-292-0x0000000004F30000-0x0000000004F70000-memory.dmp
memory/1652-293-0x0000000073B5E000-0x0000000073B5F000-memory.dmp
memory/1652-294-0x0000000073B50000-0x000000007423E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5131b597e19d6d1f80a2ee3d6575c1ad |
| SHA1 | 7275c26bf392edf2a1a8ebdadc75f6437f49ca80 |
| SHA256 | f4c0e9f85b10740c0a376ff0d046e95be778eed530dbed82a1088d85ec3f2f15 |
| SHA512 | 17abcd2d11afe793b765feff9a46b1457110187ffd07105ac369ef55b4a4a3d42891a46a5dc671e929fa27823450e803d2218b02b72611ed789f22881aa1cfe2 |
memory/1652-407-0x0000000073B50000-0x000000007423E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\avg_antivirus_free_setup.exe
| MD5 | 26816af65f2a3f1c61fb44c682510c97 |
| SHA1 | 6ca3fe45b3ccd41b25d02179b6529faedef7884a |
| SHA256 | 2025c8c2acc5537366e84809cb112589ddc9e16630a81c301d24c887e2d25f45 |
| SHA512 | 2426e54f598e3a4a6d2242ab668ce593d8947f5ddb36aded7356be99134cbc2f37323e1d36db95703a629ef712fab65f1285d9f9433b1e1af0123fd1773d0384 |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | cee286a3b75e2e3b92359a54a129a8cf |
| SHA1 | d9708dc4a44c32a25d31eb93b7e0627155c5a871 |
| SHA256 | d6f0c9d7efe02de528a908285a989cc41903bc34b3448e5638af551ef12f77a5 |
| SHA512 | daf84e165437170d2ae029f2092ea9dbde03d6a34d85ac710e679e560333f8c17c6a2fc16ad69adad36ccf29c462f9c92346ca42e163e7a8c4069253456f06c1 |
C:\LDPlayer\LDPlayer9\MSVCP120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
\LDPlayer\LDPlayer9\msvcr120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
C:\LDPlayer\LDPlayer9\phones.data
| MD5 | fdee6e3ccf8b61db774884ccb810c66f |
| SHA1 | 7a6b13a61cd3ad252387d110d9c25ced9897994d |
| SHA256 | 657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4 |
| SHA512 | f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512 |
C:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | be5eb5347c30bc6feba94d103528050a |
| SHA1 | 862ff5fd84b1caa34a6298969799a802f1cb3df6 |
| SHA256 | 5fda5ba5047c9b6c542eb4643fd42e664838702534a3d1a53ccb0c1af1490965 |
| SHA512 | 15994a163acacbdd5811e21c01a0993c16dcf078cad37b74c95e488cf6c6944c288550a60d1da8e049c24657896370332bf8c0431a7b037614552b43c47a630d |
\LDPlayer\LDPlayer9\crashreport.dll
| MD5 | cb1f1554bd438600eba5a55feda2c653 |
| SHA1 | 893dcdd3d21568c6d0586fa3590be7c9dcbfa42e |
| SHA256 | 27bb89fa0800e7fdf643126551dda3eaa834b1171346010b93fb904076e90f4f |
| SHA512 | 65b064ce0496680408f76e7fe3a9946155384864099c1913acb1f88db182277d5d09d4e9cfdff8a8ae821f0037af93ce97bbc76e656831a52714abcdc0da6412 |
memory/2360-688-0x0000000000020000-0x0000000000027000-memory.dmp
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
| MD5 | 3c5f4600c3e3469aabff602cc91956b1 |
| SHA1 | 840ff6785dde0cc3d5fc6d764aae62f90206d2f8 |
| SHA256 | 9b0ef824644c0043ef6190586790fc9ec9589c35f29dbafe749123374a31ff2e |
| SHA512 | 29e5691d221f76cd56b28b497fdd38330ea7a4ddb44e65cc02de895c04b3fa7b4dbfc3d10642f45b87c661fe442bd018809b3ac06d0236f8d558855512de7bf3 |
\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\UserInfo.dll
| MD5 | 2f69afa9d17a5245ec9b5bb03d56f63c |
| SHA1 | e0a133222136b3d4783e965513a690c23826aec9 |
| SHA256 | e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0 |
| SHA512 | bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926 |
\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
C:\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\p\pfBL.dll
| MD5 | 5608c585d25c6f3d75762cd0a44cc153 |
| SHA1 | a9ae6ecca38b1fcfb08f7fa45a0f063fd9393828 |
| SHA256 | ed5826c816ace3bc5fdd471871a0034554773e7da20dbc0a2eac7152cc7fa260 |
| SHA512 | 6e24928d93b8068f4e03d97159e7dd2ff5ea7817c37a5a06741311b0477fd54b5750451652f79cf53130efc03b9268ce5fa8922e63caf17c1d88d23200eb9867 |
\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\nsProcess.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\p\ServiceUninstaller.dll
| MD5 | 3053907a25371c3ed0c5447d9862b594 |
| SHA1 | f39f0363886bb06cb1c427db983bd6da44c01194 |
| SHA256 | 0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495 |
| SHA512 | 226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8 |
\Users\Admin\AppData\Local\Temp\nsj5FED.tmp\INetC.dll
| MD5 | 7760daf1b6a7f13f06b25b5a09137ca1 |
| SHA1 | cc5a98ea3aa582de5428c819731e1faeccfcf33a |
| SHA256 | 5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079 |
| SHA512 | d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e209fea4e3582d7f1aa1d64dd3530dca |
| SHA1 | a2e24713750e8c35aae8fc22234295bde0a6d577 |
| SHA256 | 2f7f38de02a89db3718dc17003e7ff3c7fe00df4851b54cf902412825e8e0559 |
| SHA512 | 0fdd690a33dbd60128286e5b587c2f12061459e1a17570301d237fab9b5d70e7404d18d42403d242888ab8c797ff961d0b71b0461fd445f6c814ae8e4e976b17 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll
| MD5 | 1fb62ef7e71b24a44ea5f07288240699 |
| SHA1 | 875261b5537ed9b71a892823d4fc614cb11e8c1f |
| SHA256 | 70a4cd55e60f9dd5d047576e9cd520d37af70d74b9a71e8fa73c41475caadc9a |
| SHA512 | 3b66efe9a54d0a3140e8ae02c8632a3747bad97143428aedc263cb57e3cfa53c479b7f2824051ff7a8fd6b838032d9ae9f9704c289e79eed0d85a20a6f417e61 |
\Windows\Temp\asw.e126430a5e325bd9\avg_antivirus_free_setup_x64.exe
| MD5 | 64b8e930e0e649a7b8302380a2fa6dd0 |
| SHA1 | 3390e6f86293032053d0d712a613b8e3608b237c |
| SHA256 | f30810d4be51461cda07872416d2cb9bd14ef555cc4f5d859a48abce1727de16 |
| SHA512 | 5b2ae05de9366bb8665220dc337ef678f2f611375ab94689ceb417f4fe869ea9a1045ba8ed1df0498c56c991ce020a9d28de0504c4f07cbab19efde22c547710 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll
| MD5 | c1fdd419184ef1f0895e4f7282d04dc5 |
| SHA1 | 42c00eee48c72bfde66bc22404cd9d2b425a800b |
| SHA256 | e8cf51a77e7720bd8f566db0a544e3db1c96edc9a59d4f82af78b370de5891f7 |
| SHA512 | 21aa4d299d4c2eab267a114644c3f99f9f51964fd89b5c17769a8f61a2b08c237e5252b77ca38f993a74cc721b1b18e702c99bdfa39e0d43d375c56f126be62c |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll
| MD5 | e87192a43630eb1f6bdf764e57532b8b |
| SHA1 | f9dda76d7e1acdbb3874183a9f1013b6489bd32c |
| SHA256 | d9cd7767d160d3b548ca57a7a4d09fe29e1a2b5589f58fbcf6cb6e992f5334cf |
| SHA512 | 30e29f2ffdc47c4085ca42f438384c6826b8e70adf617ac53f6f52e2906d3a276d99efcc01bf528c27eca93276151b143e6103b974c20d801da76f291d297c4c |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll
| MD5 | 7041205ea1a1d9ba68c70333086e6b48 |
| SHA1 | 5034155f7ec4f91e882eae61fd3481b5a1c62eb0 |
| SHA256 | eff4703a71c42bec1166e540aea9eeaf3dc7dfcc453fedcb79c0f3b80807869d |
| SHA512 | aea052076059a8b4230b73936ef8864eb4bb06a8534e34fe9d03cc92102dd01b0635bfce58f4e8c073f47abfd95fb19b6fbfcdaf3bc058a188665ac8d5633eb1 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll
| MD5 | cedbeae3cb51098d908ef3a81dc8d95c |
| SHA1 | c43e0bf58f4f8ea903ea142b36e1cb486f64b782 |
| SHA256 | 3cb281c38fa9420daedb84bc4cd0aaa958809cc0b3efe5f19842cc330a7805a0 |
| SHA512 | 72e7bdf4737131046e5ef6953754be66fb7761a85e864d3f3799d510bf891093a2da45b684520e2dbce3819f2e7a6f3d6cf4f34998c28a8a8e53f86c60f3b78a |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | bedc3d74c8a93128ef9515fd3e1d40eb |
| SHA1 | d207c881751c540651dbdb2dbd78e7ecd871bfe1 |
| SHA256 | fefc7bc60bd8d0542ccea84c27386bc27eb93a05330e059325924cb12aaf8f32 |
| SHA512 | cdcbce2dbe134f0ab69635e4b42ef31864e99b9ab8b747fb395a2e32b926750f0dd153be410337d218554434f17e8bc2f5501f4b8a89bb3a6be7f5472fb18360 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 89766e82e783facf320e6085b989d59d |
| SHA1 | a3ffb65f0176c2889a6e4d9c7f4b09094afb87ed |
| SHA256 | b04af86e7b16aada057a64139065df3a9b673a1a8586a386b1f2e7300c910f90 |
| SHA512 | ea4df1b2763dde578488bb8dd333be8f2b79f5277c9584d1fc8f11e9961d38767d6a2da0b7b01bad0d002d8dcf67cca1d8751a518f1ee4b9318081f8df0422c7 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 6e46e5cca4a98a53c6d2b6c272a2c3ba |
| SHA1 | bc8f556ee4260cce00f4dc66772e21b554f793a4 |
| SHA256 | 87fca6cdfa4998b0a762015b3900edf5b32b8275d08276abc0232126e00f55ce |
| SHA512 | cfeea255c66b4394e1d53490bf264c4a17a464c74d04b0eb95f6342e45e24bbc99ff016a469f69683ce891d0663578c6d7adee1929cc272b04fcb977c673380f |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll
| MD5 | e1debeda8d4680931b3bb01fae0d55f0 |
| SHA1 | a26503c590956d4e2d5a42683c1c07be4b6f0ce7 |
| SHA256 | a2d22c5b4b38af981920ab57b94727ecad255a346bb85f0d0142b545393a0a2d |
| SHA512 | a9211f5b3a1d5e42fde406aab1b2718e117bae3dd0857d4807b9e823a4523c3895cf786519d48410119d1838ab0c7307d6ef530b1159328350cc23ebc32f67cd |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll
| MD5 | 7243d672604766e28e053af250570d55 |
| SHA1 | 7d63e26ffb37bf887760dc28760d4b0873676849 |
| SHA256 | f24a6158d7083e79f94b2088b2ea4d929446c15271a41c2691b8d0679e83ef18 |
| SHA512 | 05b0edf51f10db00adc81fa0e34963be1a9f5c4ca303a9c9179c8340d5d2700534c5b924005556c89c02ac598ba6c614ee8ab8415f9ad240417529e5e0f6a41b |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | c0c8790510471f12f3c4555e5f361e8e |
| SHA1 | 7adffc87c04b7df513bb163c3fbe9231b8e6566a |
| SHA256 | 60bd8f0bd64062292eff0f5f1a91347b8d61fbe3f2e9b140112501770eae0b80 |
| SHA512 | 4f71aa0942f86e86f787036dc60eaea33af0c277f03cf1e551aaaba48dad48593bcceeccc359efbf18ef99cf49f2d46b4c17159a531ffb1c3a744abce57219eb |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | bef17bf1ba00150163a2e1699ff5840a |
| SHA1 | 89145a894b17427f4cb2b4e7e814c92457fd2a75 |
| SHA256 | 48c71b2d0af6807f387d97ab22a3ba77b85bdf457f8a4f03ce79d13fbb891328 |
| SHA512 | 489d1b4d405edbb5f46b087a3ebf57a344bf65478b3cd5fcf273736ea6fdd33e54b1806fbb751849e160370df8354f39fc7ca7896a05b4660ad577a9e0e683e4 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 2c8e5e31e996e2c0664f4a945cece991 |
| SHA1 | 8522c378bdd189ce03a89199dd73ed0834b2fa95 |
| SHA256 | 1c556505a926fd5f713004e88d7f8d68177d7d40a406f6ed04af7bacd2264979 |
| SHA512 | 14b92e32fb0fd9c50aa311f02763cba50692149283d625a78b0549b811d221331cf1b1f46d42869500622d128c627188691d7de04c500f501acd720cea7c8050 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | fbfcf220f1bf1051e82a40f349d4beae |
| SHA1 | 43154ea6705ab1c34207b66a0a544ac211c1f37d |
| SHA256 | 9b9a43b9a32a3d3c3de72b2acca41e051b1e604b45be84985b6a62fb03355e6d |
| SHA512 | e9ab17ceb5449e8303027a08afdbdd118cb59eaea0d5173819d66d3ee01f0cd370d7230a7d609a226b186b151fe2b13e811339fa21f3ec45f843075cedc2a5c0 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | c7c4a49c6ee6b1272ade4f06db2fa880 |
| SHA1 | b4b5490a51829653cb2e9e3f6fbe9caf3ba5561e |
| SHA256 | 37f731e7b1538467288bf1d0e586405b20808d4bad05e47225673661bc8b4a9f |
| SHA512 | 62ccdfac19ef4e3d378122146e8b2cba0e1db2cc050b49522bedbf763127cc2103a56c5a266e161a51d5be6bd9a47222ee8bb344b383f13d0aac0baa41eab0ff |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | ebac9545734cc1bec37c1c32ffaff7d8 |
| SHA1 | 2b716ce57f0af28d1223f4794cc8696d49ae2f29 |
| SHA256 | d09b49f2a30dcc13b7f0de8242fa57d0bdeb22f3b7e6c224be73bc4dd98d3c26 |
| SHA512 | 0396ea24a6744d48ce18f9ccb270880f74c4b6eab40f8f8baf5fd9b4ad2ac79b830f9b33c13a3fec0206a95ad3824395db6b1825302d1d401d26bdc9eef003b2 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 6f9f9d52087ae4d8d180954b9d42778b |
| SHA1 | 67419967a40cc82a0ca4151589677de8226f9693 |
| SHA256 | ef1d71fe621341c9751ee59e50cbec1d22947622ffaf8fb1f034c693f1091ef0 |
| SHA512 | 22a0488613377746c13db9742f2e517f9e31bd563352cc394c3ae12809a22aa1961711e3c0648520e2e11f94411b82d3bb05c7ea1f4d1887aacf85045cf119d7 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 56486925434ebcb5a88dd1dfa173b3d0 |
| SHA1 | f6224dd02d19debc1ecc5d4853a226b9068ae3cd |
| SHA256 | 4f008aa424a0a53a11535647a32fabb540306702040aa940fb494823303f8dce |
| SHA512 | 7bb89bd39c59090657ab91f54fb730d5f2c46b0764d32cfa68bb8e9d3284c6d755f1793c5e8722acf74eb6a39d65e6345953e6591106a13ab008dcf19863ae49 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll
| MD5 | a639c64c03544491cd196f1ba08ae6e0 |
| SHA1 | 3ee08712c85aab71cfbdb43dbef06833daa36ab2 |
| SHA256 | a4e57620f941947a570b5559ca5cce2f79e25e046fcb6519e777f32737e5fd60 |
| SHA512 | c940d1f4e41067e6d24c96687a22be1cb5ffd6b2b8959d9667ba8db91e64d777d4cd274d5877380d4cfef13f6486b4f0867af02110f96c040686cc0242d5234b |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll
| MD5 | b72698a2b99e67083fabd7d295388800 |
| SHA1 | 17647fc4f151c681a943834601c975a5db122ceb |
| SHA256 | 86d729b20a588b4c88160e38b4d234e98091e9704a689f5229574d8591cf7378 |
| SHA512 | 33bdfe9ac12339e1edab7698b344ab7e0e093a31fedc697463bbe8a4180bb68b6cc711a2ceb22ce410e3c51efaa7ea800bad30a93b3ac605b24885d3ef47cb7a |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll
| MD5 | a37faea6c5149e96dc1a523a85941c37 |
| SHA1 | 0286f5dafffa3cf58e38e87f0820302bcf276d79 |
| SHA256 | 0e35bebd654ee0c83d70361bcaecf95c757d95209b9dbcb145590807d3ffae2e |
| SHA512 | a88df77f3cc50d5830777b596f152503a5a826b04e35d912c979ded98dc3c055eb150049577ba6973d1e6c737d3b782655d848f3a71bd5a67aa41fc9322f832e |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 6486e2f519a80511ac3de235487bee79 |
| SHA1 | b43fd61e62d98eea74cf8eb54ca16c8f8e10c906 |
| SHA256 | 24cc30d7a3e679989e173ddc0a9e185d6539913af589ee6683c03bf3de485667 |
| SHA512 | 02331c5b15d9ee5a86a7aaf93d07f9050c9254b0cd5969d51eff329e97e29eea0cb5f2dccfe2bfa30e0e9fc4b222b89719f40a46bd762e3ff0479dbac704792c |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 540d7c53d63c7ff3619f99f12aac0afe |
| SHA1 | 69693e13c171433306fb5c9be333d73fdf0b47ed |
| SHA256 | 3062bd1f6d52a6b830dbb591277161099dcf3c255cff31b44876076069656f36 |
| SHA512 | ce37439ce1dfb72d4366ca96368211787086948311eb731452bb453c284ccc93ccecef5c0277d4416051f4032463282173f3ec5be45e5c3249f7c7ec433f3b3e |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 77e9c54da1436b15b15c9c7e1cedd666 |
| SHA1 | 6ce4d9b3dc7859d889d4ccd1e8e128bf7ca3a360 |
| SHA256 | 885bd4d193568d10dd24d104ccf92b258a9262565e0c815b01ec15a0f4c65658 |
| SHA512 | 6eecf63d3df4e538e1d2a62c6266f7d677daebd20b7ce40a1894c0ebe081585e01e0c7849ccdf33dd21274e194e203e056e7103a99a3cd0172df3ed791dce1c2 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | b8bce84b33ae9f56369b3791f16a6c47 |
| SHA1 | 50f14d1fe9cb653f2ed48cbb52f447bdd7ec5df4 |
| SHA256 | 0af28c5c0bb1c346a22547e17a80cb17f692bf8d1e41052684fa38c3bbcbb8c8 |
| SHA512 | 326092bae01d94ba05ecec0ea8a7ba03a8a83c5caf12bef88f54d075915844e298dba27012a1543047b73b6a2ae2b08478711c8b3dcc0a7f0c9ffabba5b193cf |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 769bf2930e7b0ce2e3fb2cbc6630ba2e |
| SHA1 | b9df24d2d37ca8b52ca7eb5c6de414cb3159488a |
| SHA256 | d10ff3164acd8784fe8cc75f5b12f32ce85b12261adb22b8a08e9704b1e5991a |
| SHA512 | 9abdcccc8ee21b35f305a91ea001c0b8964d8475680fa95b4afbdc2d42797df543b95fc1bcd72d3d2ccc1d26dff5b3c4e91f1e66753626837602dbf73fc8369b |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | c9649c9873f55cb7cdc3801b30136001 |
| SHA1 | 3d2730a1064acd8637bfc69f0355095e6821edfd |
| SHA256 | d05e1bd7fa00f52214192a390d36758fa3fe605b05a890a38f785c4db7adef1f |
| SHA512 | 39497baa6301c0ad3e9e686f7dfa0e40dbea831340843417eecc23581b04972facc2b6d30173cc93bf107a42f9d5d42515ef9fd73bb17070eb6f54109dc14e3e |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 13b358d9ecffb48629e83687e736b61d |
| SHA1 | 1f876f35566f0d9e254c973dbbf519004d388c8d |
| SHA256 | 1cf1b6f42985016bc2dc59744efeac49515f8ed1cc705fe3f5654d81186097cd |
| SHA512 | 08e54fa2b144d5b0da199d052896b9cf556c0d1e6f37c2ab3363be5cd3cf0a8a6422626a0643507aa851fddf3a2ea3d42a05b084badf509b35ec50cb2e0bb5ce |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll
| MD5 | 8fd05f79565c563a50f23b960f4d77a6 |
| SHA1 | 98e5e665ef4a3dd6f149733b180c970c60932538 |
| SHA256 | 3eb57cda91752a2338ee6b83b5e31347be08831d76e7010892bfd97d6ace9b73 |
| SHA512 | 587a39aecb40eff8e4c58149477ebaeb16db8028d8f7bea9114d34e22cd4074718490a4e3721385995a2b477fe33894a044058880414c9a668657b90b76d464f |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | e46bc300bf7be7b17e16ff12d014e522 |
| SHA1 | ba16bc615c0dad61ef6efe5fd5c81cec5cfbad44 |
| SHA256 | 002f6818c99efbd6aee20a1208344b87af7b61030d2a6d54b119130d60e7f51e |
| SHA512 | f92c1055a8adabb68da533fe157f22c076da3c31d7cf645f15c019ce4c105b99933d860a80e22315377585ae5847147c48cd28c9473a184c9a2149b1d75ee1b1 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 0fb91d94f6d006da24a3a2df6d295d81 |
| SHA1 | db8ae2c45940d10f463b6dbecd63c22acab1eee2 |
| SHA256 | e08d41881dbef8e19b9b5228938e85787292b4b6078d5384ba8e19234a0240a8 |
| SHA512 | 16d16eb10031c3d27e18c2ee5a1511607f95f84c8d32e49bbacee1adb2836c067897ea25c7649d805be974ba03ff1286eb665361036fd8afd376c8edcfabd88c |
C:\Program Files\CCleaner\CCleaner64.exe
| MD5 | 049c362975252b6a2d997a6b72d37bcc |
| SHA1 | cb2766a228f5afe4a886e001fcce03ccebc2d30b |
| SHA256 | 4bdf21db063d16f7e20f59113276d1dee1cdbebcef30d42d777d9b90c7830810 |
| SHA512 | 8075a71b5fe374061b675490883ba07b14c39372042779dd7f6d7498146cdc695d25a13a70fbf58f77a96b0ab962d7ba21bba67dcb8bb43320eefe736c809495 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\servers.def
| MD5 | 6685e1a7edfaf040ce933daaa271b33f |
| SHA1 | b1bfca6f357cc75b10d2b59f228da51097c02d15 |
| SHA256 | 842b0d709b81589d1ee5f24f421e531f512e46bc0b770b97afd2774a45ec7a97 |
| SHA512 | 4f958804cbd1ff13b29a5539400ba3263d03e434d59365727997f7dd9bf5f6f61a6fa77d869eeb0f3b33b3f1f7fa76bd1ee5c26b055d2446640ba761507c72e2 |
C:\Program Files\CCleaner\Setup\9ea8ef9b-2ff0-4ce0-952a-8ba7011d2f32.ini
| MD5 | 2af9f69df769f876f6e02da18e966020 |
| SHA1 | 5d21312d9bd23a498a294844778c49641a63d5e2 |
| SHA256 | 473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c |
| SHA512 | a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274 |
C:\Program Files\CCleaner\CCUpdate.exe
| MD5 | 943a4f169e9a3303ed6defc1ac3690bd |
| SHA1 | e0bd76b866624164c10b85d37efb6474b84164df |
| SHA256 | e531742a357907248de84b99f68ed7e8edd70e7ca918d21b24cc17ee4c128240 |
| SHA512 | da29cafdd63fd3ab3d2378fc6c2810d7579ebd6b62a4f99248458094cd2e42dc0071b83f0aee4185ca1c81139dec2991212ac383d77a737937558bbcb29d688c |
C:\Program Files\CCleaner\Setup\47e6e061-bd1c-44a6-a9a5-7c9a034dea6d.dll
| MD5 | fe6f58fb55d9a93502528c3c9bb13a3f |
| SHA1 | 516275dddbc9e2f056342201b03a0931d93a6239 |
| SHA256 | c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348 |
| SHA512 | 7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619 |
C:\Users\Admin\AppData\Local\Temp\asw532794916eb70bc0.tmp
| MD5 | 28d6814f309ea289f847c69cf91194c6 |
| SHA1 | 0f4e929dd5bb2564f7ab9c76338e04e292a42ace |
| SHA256 | 8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015 |
| SHA512 | 1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0TMTGKUUR3HHMJK6GUTA.temp
| MD5 | fe634b5357c7da48ec871fc9e7efd2f5 |
| SHA1 | a98f26b6d258bc75c2b9847b102418fb976fcfe0 |
| SHA256 | 2f697bfcb02170c8bd345cb6776c386a3a70b5f53607a88068768ca266d3724b |
| SHA512 | f00c9a79265e2382768b7bf947f9d4e2a0b5a0fed20747c07e6e37505c3eaaf3fc09287c28f27ce68a1bb7362b3391d76f561350a1c77dbffb2ea2daeb60c527 |
C:\Program Files\CCleaner\Setup\ac3b7a7d-b7cf-4223-9f1a-04cb7f3b6015.xml
| MD5 | 6ad0f19133a68767b6187d43fbdcd59f |
| SHA1 | 406db6cc186c7fe614a095f0531910f3dfd2ace3 |
| SHA256 | 2e56643e5712bbd9ec0eb306477e74ecb032b68be08586c73372c91e8ca8f8db |
| SHA512 | 06f43f147a617d3cc0515b63c447471db71563eac28fb246044f5a7ffd73f346474c75c5f0f5be7fa4a7c4b3a06e53592da30ec168fca49e56d8e8ce33217312 |
C:\Program Files\CCleaner\Setup\2d777b1f-a2be-4598-aad4-00bffac2ba72.cab
| MD5 | 57064571a830381739b064c372666cf7 |
| SHA1 | dae1806f449f47007fae40c9021ea04d6509e683 |
| SHA256 | c9246a8fddabe354e0ec7e18a8a255245159a4794dfb639db3b5f6d5cc71f67b |
| SHA512 | 7fd3d474229ca1702198623e904f0707d2d85a017853a9db9fe43ddc0e276c7898d7b5bed6089f0ee05bc5773582e1a0a6761e4a822645f975d5afedb6a83727 |
C:\Program Files\CCleaner\Setup\9433228d-1db9-4912-b05a-ac4686f7ac00\ccleaner_update_helper.exe
| MD5 | 7512e34c7676b39a0edcf0136955b272 |
| SHA1 | 27456aa529ed5d6baee4682433a22681f6d10ae0 |
| SHA256 | 9fa577f299bf03b769f8d46c6172732c0af3b89261e3586ebcaae5379757afe2 |
| SHA512 | 4472867cdef420c5dc7d2663d0b607840d2550f75093764edf8d24ad62ed635090166657916b333af5a6ffa21a30ba22c80dcf5fe84e84098d8c086b6fbc15d9 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\aswb7bf11fa5fb53db4.ini
| MD5 | 8d65ac4eacee803947b1f649eb78da65 |
| SHA1 | c986ff079fef89005285e625cb22c5ea109bd3fc |
| SHA256 | fe6678201b725e7f3e72e617e521d9f967907cf0a9f341c6fd82fa404ff6060d |
| SHA512 | 9430f6dfad67580d3eab7f9ddee2840b7c50069b30b2ddf68c4d308bee71f03a81aa4474c12195f98ffae6d55f07aba539ba44d7b501944c9eb66bb80226c5e0 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\config.def
| MD5 | e856a5cf419eddf97a1cf4fd0a151676 |
| SHA1 | daec2646bec74a5025790aef629792122329bd70 |
| SHA256 | 2b1c3030048d53a6d82f2316ad5a3544cb117dd5e579daeac372ec564d135dbb |
| SHA512 | 4a064684724db203d433d848efcc4a2bb44758182e351e9d1551d535d73eeed0be705df1f3c5eee03babcfce100ad8832bd7d384ad56db7a15d42057ad1a1b4f |
C:\Windows\Temp\asw.600fbdb3f73e41a0\servers.def.vpx
| MD5 | 68fa59ad1f9f4f9c9bb28b865e09518c |
| SHA1 | 5264ddce5171dbb3d8639fc3b2796d2043f0714d |
| SHA256 | 6f9fffe858e1631105c8432f785acdde98cf61b9ab657a9f3b6a21daf37f9230 |
| SHA512 | 07e0d192119656867797a4f55836975a0dcf01bf7de096569e72c34b1ae2efdfcd1622ade600b3f46c5579cc84517adc694a6e6a5d283396b7d9dcf6d261162f |
C:\Windows\Temp\asw.600fbdb3f73e41a0\prod-pgm.vpx
| MD5 | 999754d694d00b2319ebc83bad47ad55 |
| SHA1 | 1f4a09d7506648b5f257dc3bf5fbe6629d85d1ba |
| SHA256 | a44174fe5fae6797f814c6b0f34a7a40967247abea3f8ac3c2e053d75778402d |
| SHA512 | 5f035e60b0f58d988af62b3c245a5bbb2c364df3e65255f37743fddf5d357ba5515eb4bdb1bf95e922dbc994f031da6e84ed26b3ee884863efd5d4854547b59d |
C:\Windows\Temp\asw.600fbdb3f73e41a0\part-setup_ais-15020c62.vpx
| MD5 | d5b798d8816b252e7d718195dfeb8a8c |
| SHA1 | 860c5807fd491aeeb12d661d8cf2ecca4ca1639b |
| SHA256 | 75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499 |
| SHA512 | 16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw73f81cbc05eb35e6.tmp
| MD5 | bbb61ad0f20d3fe17a5227c13f09e82d |
| SHA1 | 01700413fc5470aa0ba29aa1a962d7a719a92a82 |
| SHA256 | 39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e |
| SHA512 | c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw6641af0622d4bfb1.tmp
| MD5 | 43dc9e69f1e9db4059cf49a5e825cfda |
| SHA1 | 519298f8a681b41d2d70db2670cc7543f1ee6da4 |
| SHA256 | 98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d |
| SHA512 | d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\aswea811c1daa5af8ee.tmp
| MD5 | c545527e69a46359a4a45f58794a0fe5 |
| SHA1 | e233e5837bfe5d1429300fb33f12f5b54689781b |
| SHA256 | 8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9 |
| SHA512 | 754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw8886d18fc33cbb95.tmp
| MD5 | 917a284494cbe4a4ec85e1ec768339c9 |
| SHA1 | 47ccc0a04ecc7c3c1ff79bf42d424cfda356137c |
| SHA256 | 57cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772 |
| SHA512 | 90849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw26b1c831aa04ddc0.tmp
| MD5 | ce4d45d0b684f591d5a83fdbd99bd306 |
| SHA1 | e89637b905c37033950afadaca2161bd5b09fb5e |
| SHA256 | 907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7 |
| SHA512 | af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw340f0cdd3a6d0068.tmp
| MD5 | e38cc92cd980a55d811316ac62883e14 |
| SHA1 | fa83737abe11ee825c3da6843cc4d8e3b459729a |
| SHA256 | be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87 |
| SHA512 | 1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\New_15020c62\asw5c35f906baff825a.tmp
| MD5 | 0b830444a6ef848fb85bfbb173bb6076 |
| SHA1 | 27964cc1673ddb68ca3da8018f0e13e9a141605e |
| SHA256 | 63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f |
| SHA512 | 31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\uat_2424.dll
| MD5 | d4cb0514285ec27a18ac6e74159fb695 |
| SHA1 | 3b5d445c2162c3723ae73e3bf6cf3acf37019d5e |
| SHA256 | 8f204d870ec74423be8c7f05b9822392eb9f675c676ac8646e944645a5e9aa0f |
| SHA512 | 25ce4398012d86eed44a66cd96cd3790df05c44d8480b4ee5c702ef5e005950cace265ea2a65fe5fc25a49d93f1a5eaabd28b6fc350428baccbc141bd69b2988 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\part-prg_ais-15020c62.vpx
| MD5 | 29b9bfd25fabf42939e3a6877f9b3ece |
| SHA1 | c30d865bc2d680311c68eb0bed0e356845f700f9 |
| SHA256 | ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475 |
| SHA512 | a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e |
C:\Windows\Temp\asw.600fbdb3f73e41a0\prod-vps.vpx
| MD5 | c7808c541592cb19ea55a45427504972 |
| SHA1 | 1af323567a609dce0733ed85bd5e611d97eff7ec |
| SHA256 | 248952b02b67bbb9d55484c17c6fbd713d8999f70627447db0d9e85e7f3ca553 |
| SHA512 | 8ec245476a10855cea0a5b128a95197d3884ee07d4658e06a445ffce49d296dff1ce4051dcd951e8ffa404fda30809a5eefe0eb8aa662d283bfa40a000a888a3 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\part-jrog2-1511.vpx
| MD5 | 2236a86ed0d74ec79fd23b6f5b2154ee |
| SHA1 | c66a3c4e8468f67c5ee533b635c44bb7976a71b6 |
| SHA256 | ef78f2393ae47a38ae982bc80fb40dbfaea959a6c9651668cfddc2d36607c454 |
| SHA512 | cbfd8d4996faada54ffde7cefc516a17b8a9f96c31a54a45b32897c3a73b24925dbc6a5ecb8ecd491d5b717bd099674e885b42b67772aab4d218a132d172a124 |
C:\Windows\Temp\asw.600fbdb3f73e41a0\part-vps_windows-24101106.vpx
| MD5 | 52881e8aef1e3baf82d97d7cf07415a4 |
| SHA1 | 29ee4f99131e3900cd295142f8768d8940975193 |
| SHA256 | fefab9fefd8fe5568b551292ed380c83dac5c0b1fc569c543c3f183bac9a4824 |
| SHA512 | 25fc1e232c63108df884d53953b1e93a16930ee5a8191f9f87f7797935de25ca0a7e359b106ebf43fb3917cf54f2f31b400c1c82404bce87b463a5c7c175a72d |
C:\Windows\Temp\asw.600fbdb3f73e41a0\config.def
| MD5 | e90f84da07ae432357d9b6a5c523504c |
| SHA1 | 3ccc3af60fcb2fe3165dc1da23cb39f6c72f9340 |
| SHA256 | 4b399af720ab7db85d6e6cf820ca2d5b3acb9c149918bd316ba6fc731fbedbfc |
| SHA512 | dd4c56c1679bc280159dc4d99f6665b6950b7b52d73c7a8d756e13f831f5e6e62c774704d5053ef042c3e3569ad21dd6985e3a556301650fdc6fbc8942c0092b |
C:\Program Files\AVG\Antivirus\setup\Stats.ini
| MD5 | 34337a7f370b1d4ddaeaaff526943c28 |
| SHA1 | 24d6495b565bd50f83088c51ea06061172948c2c |
| SHA256 | 5bead349d8b4b7648230b7459c275e03c4fb29a92db9bf24391cc2f77a44f847 |
| SHA512 | 463921c5b86b61c38cbeee6d97fb00a8956f4ba4396bf8f0a7f09e744eee44e72c1f85b09aa5c05994d41c0e24ce7aada75040ab159a60f6ca6d7d5860bfa7ba |
C:\Program Files\AVG\Antivirus\setup\Stats.ini
| MD5 | eed5118a000dbea298af82081b1887d6 |
| SHA1 | 265972019e59d9423ff52a9bfde436b361d10432 |
| SHA256 | 245297246e8cc3e5f2ec070402517e6d7a52426e34b5a89d35ad307e14138ce0 |
| SHA512 | 40ad5f9e00ea65cddd77da2ba1b9983e5b6d43ff40dc794536d2557bc44a279b2bd6321809f020619e9be4a6f107a381b166e07eba313b6560f75d4de229d110 |
C:\Program Files\AVG\Antivirus\setup\ais_avg_crt_x86-7d5.vpx
| MD5 | 776c702244f080a64ee0769e4115806b |
| SHA1 | 1c75f4d486e56dd9902e778392afdd7ae4027bc6 |
| SHA256 | 183c0c047612f225bec9ef90094385efb204b5743a2492f6c574f2eae778aefe |
| SHA512 | 1d1e80c72550435ac4d60eaa7357c200658811991e817b9baf8c1c305845410874b5b4867552455ebcb3f7c6cc3318ee4a85d679a3d049c3a7ab5d6493651995 |
C:\Program Files\AVG\Antivirus\setup\ais_cmp_bpc-7cc.vpx
| MD5 | 370fb8113ca63fa92f7037df74050faf |
| SHA1 | 2ed9d4164c5dafbd38dc0dee0f3edf7ccabfe411 |
| SHA256 | 79421461dd25e721147e2e676b0c33c5fc3897126bb5f700e8f60e0d34175ce4 |
| SHA512 | c197ad2368d138af4f0f220ffa16d47e29bbe8456e19bd097ac3fbf16fd47439218a77546312d5eeb356f7fe6ab5ecdc16f010710b1b89f75f6175a6632c3909 |
C:\Program Files\AVG\Antivirus\setup\ais_cmp_datascan_x64-82e.vpx
| MD5 | dfb14bc06277ac67224bba3003fc0346 |
| SHA1 | 816c68c5489945b99dec636d7f7b13d10f732cc4 |
| SHA256 | 3b50c86e7f04de527544c097fd2dfc9111c351f7fb3507fe8105cb899f69a1f5 |
| SHA512 | 76957d380dd4c612c634ceb660a28d872182be35979155be0cde4f618677fe0fa31cc5d7bc7f768f5fdb0a2af33163e94950dec836cc09281dad13227c06c68e |
C:\Program Files\AVG\Antivirus\setup\ais_dll_eng-818.vpx
| MD5 | 953cc8dab407cc320911adb8358fcd49 |
| SHA1 | 4ecd20b724ca5718b87d2cd27745003902df2534 |
| SHA256 | 748a4fda0713ac82afedd5c2f90848fbb743772f4c6268e70ee65285bbc48c7a |
| SHA512 | ecb068dfb5334ecada79e0eee629bc7d4a10bf3fc7ec0044f8747e7137f65f466f5d0d6a0bc5ad9af0c6748b695a153baf431888e1df32433d8276c44b824174 |
C:\Program Files\AVG\Antivirus\setup\ais_dll_eng_x64-82e.vpx
| MD5 | a469beb68e45ce02e4e541744a95783d |
| SHA1 | 32d05acc7b266fced0a014ad07843625b1908d1a |
| SHA256 | ea9301a1fa0ed024ba39947e9a76822c52c978397d25d0edca66d234ca012a8a |
| SHA512 | a1bd6a24ceb0fdd07a13baae4e0a1b98ab22fe702cac4cc5f8acf182ba28879ba6c27c2b66a44a77261b16b5aec5608e0a2f18f62ee6f416a9baeb88bbb8a8df |
memory/2424-1642-0x000007FEF26D0000-0x000007FEF39F6000-memory.dmp
C:\Program Files\AVG\Antivirus\setup\ais_gen_protobuf_x64-7d0.vpx
| MD5 | c8c85dcc856b13655d5545152f06813e |
| SHA1 | 2f54faa811dc8ec09ece27b09c20d6f4d19c4902 |
| SHA256 | 6019fb4816f72279ca066066a6ae142045dbafb518c37b0d3f04d486e13bb5db |
| SHA512 | 5e033cb69ece704f00b7ca9df37ab691571e77eda7bcbc3af10fbf61613a97308ff7db60a8fb669c054df1c51b0757747fc40d43e39fc9a8dd2862504dca83c2 |
memory/2424-1695-0x000007FEF26D0000-0x000007FEF39F6000-memory.dmp
C:\Program Files\AVG\Antivirus\setup\ais_res-876.vpx
| MD5 | 9f33fe6a5fb6ab1f6947aabe92dd9810 |
| SHA1 | f85d0a741c723abd106f7aa06f10e42ab633370d |
| SHA256 | 4992fa3740a87268f19669c71725dee815da881875c6fc697b3ee12a9053ee92 |
| SHA512 | e79b307ec5d999c442e76e130a54a1d3bf2a1f33d35789331f83752f93d63de34bc9304348c6494b95f01b1c5928bdccbcbe92097b7535fd37c9f90eef3b6650 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 21:37
Reported
2024-10-11 21:40
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
Downloads MZ/PE file
Checks installed software on the system
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_pt_1552109_ld.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | res.ldrescdn.com | udp |
| GB | 163.181.154.240:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | dagswotxcmrj6.cloudfront.net | udp |
| FR | 18.164.55.221:443 | dagswotxcmrj6.cloudfront.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.154.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.55.164.18.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | d1odpp2eg70dto.cloudfront.net | udp |
| GB | 3.162.19.198:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| GB | 3.162.19.198:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 198.19.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 49.4.219.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | f45a92aba92be451667f7771edecdd32 |
| SHA1 | bb8496d04363a8ae818a9b3efc0fbcc1ba893f78 |
| SHA256 | 22e95eb59a7cb402fadc1783c7f3c613aa18ebd09480e30f4a6557df8d066b26 |
| SHA512 | a6d734db225021487df46b2f62fb7a71883e2aa8837eb0097082510d8f01b519842cd26700ce84f2e2fd9012cb396ea894123d31a0e3e22636ecb859f68010af |
memory/2692-12-0x0000000006E20000-0x0000000006E30000-memory.dmp
memory/2692-13-0x000000007284E000-0x000000007284F000-memory.dmp
memory/2692-18-0x00000000730F0000-0x0000000073104000-memory.dmp
memory/2692-17-0x0000000006DE0000-0x0000000006DF4000-memory.dmp
memory/2692-19-0x0000000009BC0000-0x000000000A164000-memory.dmp
memory/2692-20-0x00000000098F0000-0x0000000009982000-memory.dmp
memory/2692-26-0x0000000003800000-0x0000000003844000-memory.dmp
memory/2692-27-0x0000000006A00000-0x0000000006A9C000-memory.dmp
memory/2692-28-0x000000000A7A0000-0x000000000A806000-memory.dmp
memory/2692-29-0x000000000AD40000-0x000000000B26C000-memory.dmp
memory/2692-30-0x0000000006E20000-0x0000000006E30000-memory.dmp
memory/2692-31-0x000000007284E000-0x000000007284F000-memory.dmp