Analysis Overview
SHA256
f85ba2e1604219d15c2b7816312f0c530411416cf3789fcc0ab73d7ee6dce36a
Threat Level: Likely malicious
The file LDPlayer9_es_1009_ld.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Creates new service(s)
Manipulates Digital Signatures
Modifies file permissions
Legitimate hosting services abused for malware hosting/C2
Checks for any installed AV software in registry
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking
Drops file in Windows directory
Loads dropped DLL
Launches sc.exe
Checks installed software on the system
Drops file in Program Files directory
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies registry class
Checks processor information in registry
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 20:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 20:29
Reported
2024-10-12 20:32
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Creates new service(s)
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "WVTAsn1CatMemberInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\FuncName = "WVTAsn1SpcPeImageDataDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayer9box\loadall.cmd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSupLib.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcp120.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxStub.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-math-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMMPreload.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\vccorlib140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVBoxDbg.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcr120.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\host_manager2.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\libssl-1_1-x64.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\libcurl.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-time-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayer9box\Ld9BoxSup.sys | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayer9box\Ld9BoxSup.inf | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxEFI32.fd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetAdpInstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\regsvr32_x86.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDD.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\ucrtbase.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\host_manager.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\libcrypto-1_1-x64.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-rtlsupport-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\GLES_V2_utils.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0 | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetAdp6Uninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SDL.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBTest.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVMREQ.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxCpuReport.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxRT.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-filesystem-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SUPLoggerCtl.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxStubBld.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\EGL.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetLwfUninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxNetDHCP.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxProxyStub.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcp100.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\libOpenglRender2.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDD2.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxRes.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\concrt140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\dasync.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\vbox-img.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\vbox-img.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\vbox-img.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dism.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\LDPlayer\LDPlayer9\driverconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "331" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "115" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "233" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "325" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "325" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\CpMRU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "331" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "325" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "331" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MAIN | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0788A091-88D9-11EF-A0C3-D60C98DC526F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "233" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7532-45E8-96DA-EB5986AE76E4}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\NumMethods\ = "14" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\NumMethods\ = "229" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\ = "IMediumIO" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ = "INATNetworkCreationDeletionEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-C927-11E7-B788-33C248E71FC7} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4521-44CC-DF95-186E4D057C83}\NumMethods\ = "4" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}\NumMethods\ = "88" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}\ = "IFramebufferOverlay" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-cc87-4f6e-a0e9-47bb7f2d4be5} | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-762E-4120-871C-A2014234A607}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\ = "IRecordingChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\NumMethods | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CurVer | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\NumMethods\ = "28" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1\ = "Session Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7997-4595-A731-3A509DB604E5}\ = "IClipboardModeChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4A06-81FC-A916-78B2DA1FA0E5}\NumMethods\ = "14" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\ = "ISnapshotChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7997-4595-A731-3A509DB604E5}\ = "IClipboardModeChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\NumMethods | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583}\ = "IClipboardFileTransferModeChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe"
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1009 -language=es -path="C:\LDPlayer\LDPlayer9\"
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=459230
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/ykt8hgSabz
C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\dnplayer.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x15c
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:876 CREDAT:537607 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | res.ldrescdn.com | udp |
| GB | 163.181.154.242:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | dagswotxcmrj6.cloudfront.net | udp |
| DE | 108.156.253.178:443 | dagswotxcmrj6.cloudfront.net | tcp |
| GB | 163.181.154.242:443 | res.ldrescdn.com | tcp |
| GB | 163.181.154.242:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | d1odpp2eg70dto.cloudfront.net | udp |
| CZ | 65.9.94.181:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| CZ | 65.9.94.181:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| GB | 163.181.154.242:443 | res.ldrescdn.com | tcp |
| GB | 163.181.154.242:443 | res.ldrescdn.com | tcp |
| GB | 163.181.154.242:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | apies.ldmnq.com | udp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.130.234:443 | discord.gg | tcp |
| US | 162.159.130.234:443 | discord.gg | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | res.ldrescdn.com | udp |
| US | 8.8.8.8:53 | ad.ldplayer.net | udp |
| US | 8.8.8.8:53 | apien.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| GB | 163.181.154.237:443 | res.ldrescdn.com | tcp |
| GB | 163.181.154.237:443 | res.ldrescdn.com | tcp |
| DE | 18.154.63.24:443 | ad.ldplayer.net | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| GB | 79.133.176.174:443 | apien.ldplayer.net | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | es.ldplayer.net | udp |
| US | 8.8.8.8:53 | es.ldplayer.net | udp |
| GB | 163.181.154.240:443 | es.ldplayer.net | tcp |
| GB | 163.181.154.240:443 | es.ldplayer.net | tcp |
| DE | 18.154.63.24:443 | ad.ldplayer.net | tcp |
| DE | 18.154.63.24:443 | ad.ldplayer.net | tcp |
| US | 8.8.8.8:53 | cdn.ldplayer.net | udp |
| US | 8.8.8.8:53 | cmp.setupcmp.com | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | encdn.ldmnq.com | udp |
| US | 8.8.8.8:53 | encdn04.ldmnq.com | udp |
| US | 8.8.8.8:53 | hardzone.es | udp |
| US | 8.8.8.8:53 | encdn01.ldmnq.com | udp |
| US | 8.8.8.8:53 | encdn07.ldmnq.com | udp |
| US | 8.8.8.8:53 | stpd.cloud | udp |
| US | 104.26.4.6:443 | cmp.setupcmp.com | tcp |
| US | 104.26.4.6:443 | cmp.setupcmp.com | tcp |
| US | 104.18.30.49:443 | stpd.cloud | tcp |
| US | 104.18.30.49:443 | stpd.cloud | tcp |
| GB | 172.217.169.78:443 | fundingchoicesmessages.google.com | tcp |
| GB | 172.217.169.78:443 | fundingchoicesmessages.google.com | tcp |
| DE | 18.154.63.32:443 | encdn01.ldmnq.com | tcp |
| DE | 18.154.63.32:443 | encdn01.ldmnq.com | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| GB | 79.133.176.186:443 | cdn.ldplayer.net | tcp |
| DE | 108.157.4.129:443 | encdn07.ldmnq.com | tcp |
| DE | 108.157.4.129:443 | encdn07.ldmnq.com | tcp |
| GB | 163.181.154.241:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.241:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.241:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.241:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.241:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.241:443 | encdn.ldmnq.com | tcp |
| GB | 79.127.237.161:443 | hardzone.es | tcp |
| GB | 79.127.237.161:443 | hardzone.es | tcp |
| DE | 18.154.63.24:443 | ad.ldplayer.net | tcp |
| DE | 18.66.248.59:443 | encdn04.ldmnq.com | tcp |
| DE | 18.66.248.59:443 | encdn04.ldmnq.com | tcp |
| DE | 18.154.63.24:443 | ad.ldplayer.net | tcp |
| US | 8.8.8.8:53 | ocsp.r2m02.amazontrust.com | udp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| DE | 18.66.248.90:80 | apies.ldmnq.com | tcp |
| DE | 18.173.227.201:80 | ocsp.r2m02.amazontrust.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:80 | apies.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 172.217.169.66:443 | googleads.g.doubleclick.net | tcp |
| GB | 172.217.169.66:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.200.38:443 | static.doubleclick.net | tcp |
| GB | 142.250.200.38:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| GB | 216.58.212.202:443 | jnn-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.246:443 | i.ytimg.com | tcp |
| GB | 142.250.179.246:443 | i.ytimg.com | tcp |
| GB | 216.58.212.202:443 | jnn-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| GB | 142.250.187.225:443 | yt3.ggpht.com | tcp |
| GB | 142.250.187.225:443 | yt3.ggpht.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 163.181.154.237:443 | encdn.ldmnq.com | tcp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 172.217.169.66:443 | googleads.g.doubleclick.net | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
| DE | 18.66.248.90:443 | apies.ldmnq.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | f45a92aba92be451667f7771edecdd32 |
| SHA1 | bb8496d04363a8ae818a9b3efc0fbcc1ba893f78 |
| SHA256 | 22e95eb59a7cb402fadc1783c7f3c613aa18ebd09480e30f4a6557df8d066b26 |
| SHA512 | a6d734db225021487df46b2f62fb7a71883e2aa8837eb0097082510d8f01b519842cd26700ce84f2e2fd9012cb396ea894123d31a0e3e22636ecb859f68010af |
memory/2496-11-0x0000000004620000-0x0000000004660000-memory.dmp
memory/2496-12-0x0000000073DFE000-0x0000000073DFF000-memory.dmp
memory/2496-16-0x0000000002A60000-0x0000000002A74000-memory.dmp
memory/2496-17-0x00000000745C0000-0x00000000745D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC313.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC335.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 10d3bfe8e015ca135777c023dee26a63 |
| SHA1 | b9cb5311cedacc89446f8883d9762e79cdc37002 |
| SHA256 | e9055844401b328519095f949eaaaa4877073876dc35af4f20554904245a376d |
| SHA512 | 30b20095c083b87adefdba9f95d0eb5ff9a4811ffc5a6345efdc0d07815294f9cfd094a615fec9a43f310e2a5d19b50b60c65ded76daf67fdbd90fff0c59b383 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 503110506557dfadf47b147cf15b104e |
| SHA1 | 1be8780ed27f8af00cc604801389ed2ede30d0e7 |
| SHA256 | 3fbe75c4c75b9718436085110d03f14ef52baf6e724c7cdf1e74ed36bb892e95 |
| SHA512 | 88ee9ab712b64265a5c47703c1e097bc44bf0c4ddc494a077ad46d6653efc2183aa1e7f5a2370cd63eb41a45fbaadd78c92f7daa19dcc85bf9e303332cf22d4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90948c62279282ee0b43012bdf2eed35 |
| SHA1 | 529cdfa77230659f41d1aee075baf73efae44888 |
| SHA256 | 8c05ce47069648a91438e053de44185afd0cbe41ec95fcf7a525bd8b12bd99a0 |
| SHA512 | 9448cd5117d8bc62a068d55b825a8ecb51c1bf257cab9052328cd77d04039e10490262872be16f1119ee3faae46b652c2efa9332dcecce867f2d9900c0aa3df6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31d27662d82105f02ce21d33f8a02ba1 |
| SHA1 | b011136734198b2370a4cc62cb32c60e4bcf2405 |
| SHA256 | d4e08e1724c42a2e44676cf7d87dacfde356a46761b5714ee8cfe43961e3b82d |
| SHA512 | f100b6713d19bc017ae5b021e38160a24927953b2c5e367d627fd465246082c98e93261f462350f8f60d6c0b662034569d951c2aafd1a7c6c2c5d06a37eb6d76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5df9f94a4afac1b681bbf80bbcc26e4 |
| SHA1 | 451dd4aabbd2c35af676354772eec778a559d392 |
| SHA256 | 013b59ac9962f76e1fe50a731682fd1f9b8cccb14b95ee48a8fd8da7d43529a4 |
| SHA512 | 348d0741f94a03ca8d6f40d5be6dd8102ff4df07f5c9ba60603a9805306a6f017be9df8b6c9c7314bc7d6440479331ff0263b2bf98a56bee9911d12de5a450b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d4cc3b411a9eae12b413dd44f1732f3 |
| SHA1 | 5dd203929c616f7f82415a0a3cae44e4a545c0f8 |
| SHA256 | a162a68c4d6ef02e2205a02e508ee96f70bcb3710f22518d65b000491ab9f882 |
| SHA512 | 9bacfb3c814a8c541294fc666dab2eec9787f386f793a148d8a841ab413f04a6d8fdcdeeb1fab0abd0e4c932339e1b48dbabdf37d4dca91d42e93e78f9e3b58a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | b8b3800865535f37dd99af87e9a3d4d7 |
| SHA1 | d6ba90caba11b93b5099fd5e793c99f56675b103 |
| SHA256 | c12ce06ce6104991a18360b1a0d29a1f8786d83ebdea9e9ffd4a776d534f16c5 |
| SHA512 | 37ca1e4644be74d9245c287c3f9d55e0c6a40f6eaa0ae9c70aa7c3bdd246d351703d44adf984c213bc0d6b9daabaeb53f51eeaaaef12bb6fc94db8e6ce28f710 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | c5dfb849ca051355ee2dba1ac33eb028 |
| SHA1 | d69b561148f01c77c54578c10926df5b856976ad |
| SHA256 | cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b |
| SHA512 | 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da |
memory/2496-347-0x0000000003020000-0x0000000003064000-memory.dmp
memory/2496-460-0x0000000073DF0000-0x00000000744DE000-memory.dmp
memory/2496-461-0x0000000004620000-0x0000000004660000-memory.dmp
memory/2496-462-0x0000000073DFE000-0x0000000073DFF000-memory.dmp
memory/2496-463-0x0000000073DF0000-0x00000000744DE000-memory.dmp
memory/2496-464-0x0000000073DF0000-0x00000000744DE000-memory.dmp
\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | cee286a3b75e2e3b92359a54a129a8cf |
| SHA1 | d9708dc4a44c32a25d31eb93b7e0627155c5a871 |
| SHA256 | d6f0c9d7efe02de528a908285a989cc41903bc34b3448e5638af551ef12f77a5 |
| SHA512 | daf84e165437170d2ae029f2092ea9dbde03d6a34d85ac710e679e560333f8c17c6a2fc16ad69adad36ccf29c462f9c92346ca42e163e7a8c4069253456f06c1 |
C:\LDPlayer\LDPlayer9\MSVCP120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
C:\LDPlayer\LDPlayer9\MSVCR120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
C:\LDPlayer\LDPlayer9\phones.data
| MD5 | fdee6e3ccf8b61db774884ccb810c66f |
| SHA1 | 7a6b13a61cd3ad252387d110d9c25ced9897994d |
| SHA256 | 657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4 |
| SHA512 | f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512 |
C:\LDPlayer\LDPlayer9\crashreport.dll
| MD5 | cb1f1554bd438600eba5a55feda2c653 |
| SHA1 | 893dcdd3d21568c6d0586fa3590be7c9dcbfa42e |
| SHA256 | 27bb89fa0800e7fdf643126551dda3eaa834b1171346010b93fb904076e90f4f |
| SHA512 | 65b064ce0496680408f76e7fe3a9946155384864099c1913acb1f88db182277d5d09d4e9cfdff8a8ae821f0037af93ce97bbc76e656831a52714abcdc0da6412 |
C:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | be5eb5347c30bc6feba94d103528050a |
| SHA1 | 862ff5fd84b1caa34a6298969799a802f1cb3df6 |
| SHA256 | 5fda5ba5047c9b6c542eb4643fd42e664838702534a3d1a53ccb0c1af1490965 |
| SHA512 | 15994a163acacbdd5811e21c01a0993c16dcf078cad37b74c95e488cf6c6944c288550a60d1da8e049c24657896370332bf8c0431a7b037614552b43c47a630d |
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
| MD5 | 6f892c7d1f5dcebed236a06b9035fe06 |
| SHA1 | fc3793c2921e89fc6dd14edb63beabf26a975a55 |
| SHA256 | 262fbf3222783afbcea8a2d0c420855741d113586b6f283298e2ba089acab3d5 |
| SHA512 | 792128f021acb5c97559a3c5102ee6dda7457dd2fc5bc43997f9aced59486f6b6598fe330334fe661da6bea97798610f0d61ff3d9695264ef5ac94aba256bbc4 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | e46bc300bf7be7b17e16ff12d014e522 |
| SHA1 | ba16bc615c0dad61ef6efe5fd5c81cec5cfbad44 |
| SHA256 | 002f6818c99efbd6aee20a1208344b87af7b61030d2a6d54b119130d60e7f51e |
| SHA512 | f92c1055a8adabb68da533fe157f22c076da3c31d7cf645f15c019ce4c105b99933d860a80e22315377585ae5847147c48cd28c9473a184c9a2149b1d75ee1b1 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll
| MD5 | c1fdd419184ef1f0895e4f7282d04dc5 |
| SHA1 | 42c00eee48c72bfde66bc22404cd9d2b425a800b |
| SHA256 | e8cf51a77e7720bd8f566db0a544e3db1c96edc9a59d4f82af78b370de5891f7 |
| SHA512 | 21aa4d299d4c2eab267a114644c3f99f9f51964fd89b5c17769a8f61a2b08c237e5252b77ca38f993a74cc721b1b18e702c99bdfa39e0d43d375c56f126be62c |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 0fb91d94f6d006da24a3a2df6d295d81 |
| SHA1 | db8ae2c45940d10f463b6dbecd63c22acab1eee2 |
| SHA256 | e08d41881dbef8e19b9b5228938e85787292b4b6078d5384ba8e19234a0240a8 |
| SHA512 | 16d16eb10031c3d27e18c2ee5a1511607f95f84c8d32e49bbacee1adb2836c067897ea25c7649d805be974ba03ff1286eb665361036fd8afd376c8edcfabd88c |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll
| MD5 | 1fb62ef7e71b24a44ea5f07288240699 |
| SHA1 | 875261b5537ed9b71a892823d4fc614cb11e8c1f |
| SHA256 | 70a4cd55e60f9dd5d047576e9cd520d37af70d74b9a71e8fa73c41475caadc9a |
| SHA512 | 3b66efe9a54d0a3140e8ae02c8632a3747bad97143428aedc263cb57e3cfa53c479b7f2824051ff7a8fd6b838032d9ae9f9704c289e79eed0d85a20a6f417e61 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll
| MD5 | 8fd05f79565c563a50f23b960f4d77a6 |
| SHA1 | 98e5e665ef4a3dd6f149733b180c970c60932538 |
| SHA256 | 3eb57cda91752a2338ee6b83b5e31347be08831d76e7010892bfd97d6ace9b73 |
| SHA512 | 587a39aecb40eff8e4c58149477ebaeb16db8028d8f7bea9114d34e22cd4074718490a4e3721385995a2b477fe33894a044058880414c9a668657b90b76d464f |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll
| MD5 | 7041205ea1a1d9ba68c70333086e6b48 |
| SHA1 | 5034155f7ec4f91e882eae61fd3481b5a1c62eb0 |
| SHA256 | eff4703a71c42bec1166e540aea9eeaf3dc7dfcc453fedcb79c0f3b80807869d |
| SHA512 | aea052076059a8b4230b73936ef8864eb4bb06a8534e34fe9d03cc92102dd01b0635bfce58f4e8c073f47abfd95fb19b6fbfcdaf3bc058a188665ac8d5633eb1 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll
| MD5 | e87192a43630eb1f6bdf764e57532b8b |
| SHA1 | f9dda76d7e1acdbb3874183a9f1013b6489bd32c |
| SHA256 | d9cd7767d160d3b548ca57a7a4d09fe29e1a2b5589f58fbcf6cb6e992f5334cf |
| SHA512 | 30e29f2ffdc47c4085ca42f438384c6826b8e70adf617ac53f6f52e2906d3a276d99efcc01bf528c27eca93276151b143e6103b974c20d801da76f291d297c4c |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll
| MD5 | cedbeae3cb51098d908ef3a81dc8d95c |
| SHA1 | c43e0bf58f4f8ea903ea142b36e1cb486f64b782 |
| SHA256 | 3cb281c38fa9420daedb84bc4cd0aaa958809cc0b3efe5f19842cc330a7805a0 |
| SHA512 | 72e7bdf4737131046e5ef6953754be66fb7761a85e864d3f3799d510bf891093a2da45b684520e2dbce3819f2e7a6f3d6cf4f34998c28a8a8e53f86c60f3b78a |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | c9649c9873f55cb7cdc3801b30136001 |
| SHA1 | 3d2730a1064acd8637bfc69f0355095e6821edfd |
| SHA256 | d05e1bd7fa00f52214192a390d36758fa3fe605b05a890a38f785c4db7adef1f |
| SHA512 | 39497baa6301c0ad3e9e686f7dfa0e40dbea831340843417eecc23581b04972facc2b6d30173cc93bf107a42f9d5d42515ef9fd73bb17070eb6f54109dc14e3e |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | bedc3d74c8a93128ef9515fd3e1d40eb |
| SHA1 | d207c881751c540651dbdb2dbd78e7ecd871bfe1 |
| SHA256 | fefc7bc60bd8d0542ccea84c27386bc27eb93a05330e059325924cb12aaf8f32 |
| SHA512 | cdcbce2dbe134f0ab69635e4b42ef31864e99b9ab8b747fb395a2e32b926750f0dd153be410337d218554434f17e8bc2f5501f4b8a89bb3a6be7f5472fb18360 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 13b358d9ecffb48629e83687e736b61d |
| SHA1 | 1f876f35566f0d9e254c973dbbf519004d388c8d |
| SHA256 | 1cf1b6f42985016bc2dc59744efeac49515f8ed1cc705fe3f5654d81186097cd |
| SHA512 | 08e54fa2b144d5b0da199d052896b9cf556c0d1e6f37c2ab3363be5cd3cf0a8a6422626a0643507aa851fddf3a2ea3d42a05b084badf509b35ec50cb2e0bb5ce |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 89766e82e783facf320e6085b989d59d |
| SHA1 | a3ffb65f0176c2889a6e4d9c7f4b09094afb87ed |
| SHA256 | b04af86e7b16aada057a64139065df3a9b673a1a8586a386b1f2e7300c910f90 |
| SHA512 | ea4df1b2763dde578488bb8dd333be8f2b79f5277c9584d1fc8f11e9961d38767d6a2da0b7b01bad0d002d8dcf67cca1d8751a518f1ee4b9318081f8df0422c7 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 769bf2930e7b0ce2e3fb2cbc6630ba2e |
| SHA1 | b9df24d2d37ca8b52ca7eb5c6de414cb3159488a |
| SHA256 | d10ff3164acd8784fe8cc75f5b12f32ce85b12261adb22b8a08e9704b1e5991a |
| SHA512 | 9abdcccc8ee21b35f305a91ea001c0b8964d8475680fa95b4afbdc2d42797df543b95fc1bcd72d3d2ccc1d26dff5b3c4e91f1e66753626837602dbf73fc8369b |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 540d7c53d63c7ff3619f99f12aac0afe |
| SHA1 | 69693e13c171433306fb5c9be333d73fdf0b47ed |
| SHA256 | 3062bd1f6d52a6b830dbb591277161099dcf3c255cff31b44876076069656f36 |
| SHA512 | ce37439ce1dfb72d4366ca96368211787086948311eb731452bb453c284ccc93ccecef5c0277d4416051f4032463282173f3ec5be45e5c3249f7c7ec433f3b3e |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 77e9c54da1436b15b15c9c7e1cedd666 |
| SHA1 | 6ce4d9b3dc7859d889d4ccd1e8e128bf7ca3a360 |
| SHA256 | 885bd4d193568d10dd24d104ccf92b258a9262565e0c815b01ec15a0f4c65658 |
| SHA512 | 6eecf63d3df4e538e1d2a62c6266f7d677daebd20b7ce40a1894c0ebe081585e01e0c7849ccdf33dd21274e194e203e056e7103a99a3cd0172df3ed791dce1c2 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | b8bce84b33ae9f56369b3791f16a6c47 |
| SHA1 | 50f14d1fe9cb653f2ed48cbb52f447bdd7ec5df4 |
| SHA256 | 0af28c5c0bb1c346a22547e17a80cb17f692bf8d1e41052684fa38c3bbcbb8c8 |
| SHA512 | 326092bae01d94ba05ecec0ea8a7ba03a8a83c5caf12bef88f54d075915844e298dba27012a1543047b73b6a2ae2b08478711c8b3dcc0a7f0c9ffabba5b193cf |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 6486e2f519a80511ac3de235487bee79 |
| SHA1 | b43fd61e62d98eea74cf8eb54ca16c8f8e10c906 |
| SHA256 | 24cc30d7a3e679989e173ddc0a9e185d6539913af589ee6683c03bf3de485667 |
| SHA512 | 02331c5b15d9ee5a86a7aaf93d07f9050c9254b0cd5969d51eff329e97e29eea0cb5f2dccfe2bfa30e0e9fc4b222b89719f40a46bd762e3ff0479dbac704792c |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 6e46e5cca4a98a53c6d2b6c272a2c3ba |
| SHA1 | bc8f556ee4260cce00f4dc66772e21b554f793a4 |
| SHA256 | 87fca6cdfa4998b0a762015b3900edf5b32b8275d08276abc0232126e00f55ce |
| SHA512 | cfeea255c66b4394e1d53490bf264c4a17a464c74d04b0eb95f6342e45e24bbc99ff016a469f69683ce891d0663578c6d7adee1929cc272b04fcb977c673380f |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll
| MD5 | a37faea6c5149e96dc1a523a85941c37 |
| SHA1 | 0286f5dafffa3cf58e38e87f0820302bcf276d79 |
| SHA256 | 0e35bebd654ee0c83d70361bcaecf95c757d95209b9dbcb145590807d3ffae2e |
| SHA512 | a88df77f3cc50d5830777b596f152503a5a826b04e35d912c979ded98dc3c055eb150049577ba6973d1e6c737d3b782655d848f3a71bd5a67aa41fc9322f832e |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll
| MD5 | b72698a2b99e67083fabd7d295388800 |
| SHA1 | 17647fc4f151c681a943834601c975a5db122ceb |
| SHA256 | 86d729b20a588b4c88160e38b4d234e98091e9704a689f5229574d8591cf7378 |
| SHA512 | 33bdfe9ac12339e1edab7698b344ab7e0e093a31fedc697463bbe8a4180bb68b6cc711a2ceb22ce410e3c51efaa7ea800bad30a93b3ac605b24885d3ef47cb7a |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll
| MD5 | a639c64c03544491cd196f1ba08ae6e0 |
| SHA1 | 3ee08712c85aab71cfbdb43dbef06833daa36ab2 |
| SHA256 | a4e57620f941947a570b5559ca5cce2f79e25e046fcb6519e777f32737e5fd60 |
| SHA512 | c940d1f4e41067e6d24c96687a22be1cb5ffd6b2b8959d9667ba8db91e64d777d4cd274d5877380d4cfef13f6486b4f0867af02110f96c040686cc0242d5234b |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 6f9f9d52087ae4d8d180954b9d42778b |
| SHA1 | 67419967a40cc82a0ca4151589677de8226f9693 |
| SHA256 | ef1d71fe621341c9751ee59e50cbec1d22947622ffaf8fb1f034c693f1091ef0 |
| SHA512 | 22a0488613377746c13db9742f2e517f9e31bd563352cc394c3ae12809a22aa1961711e3c0648520e2e11f94411b82d3bb05c7ea1f4d1887aacf85045cf119d7 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll
| MD5 | 7243d672604766e28e053af250570d55 |
| SHA1 | 7d63e26ffb37bf887760dc28760d4b0873676849 |
| SHA256 | f24a6158d7083e79f94b2088b2ea4d929446c15271a41c2691b8d0679e83ef18 |
| SHA512 | 05b0edf51f10db00adc81fa0e34963be1a9f5c4ca303a9c9179c8340d5d2700534c5b924005556c89c02ac598ba6c614ee8ab8415f9ad240417529e5e0f6a41b |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 56486925434ebcb5a88dd1dfa173b3d0 |
| SHA1 | f6224dd02d19debc1ecc5d4853a226b9068ae3cd |
| SHA256 | 4f008aa424a0a53a11535647a32fabb540306702040aa940fb494823303f8dce |
| SHA512 | 7bb89bd39c59090657ab91f54fb730d5f2c46b0764d32cfa68bb8e9d3284c6d755f1793c5e8722acf74eb6a39d65e6345953e6591106a13ab008dcf19863ae49 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll
| MD5 | e1debeda8d4680931b3bb01fae0d55f0 |
| SHA1 | a26503c590956d4e2d5a42683c1c07be4b6f0ce7 |
| SHA256 | a2d22c5b4b38af981920ab57b94727ecad255a346bb85f0d0142b545393a0a2d |
| SHA512 | a9211f5b3a1d5e42fde406aab1b2718e117bae3dd0857d4807b9e823a4523c3895cf786519d48410119d1838ab0c7307d6ef530b1159328350cc23ebc32f67cd |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | c0c8790510471f12f3c4555e5f361e8e |
| SHA1 | 7adffc87c04b7df513bb163c3fbe9231b8e6566a |
| SHA256 | 60bd8f0bd64062292eff0f5f1a91347b8d61fbe3f2e9b140112501770eae0b80 |
| SHA512 | 4f71aa0942f86e86f787036dc60eaea33af0c277f03cf1e551aaaba48dad48593bcceeccc359efbf18ef99cf49f2d46b4c17159a531ffb1c3a744abce57219eb |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | ebac9545734cc1bec37c1c32ffaff7d8 |
| SHA1 | 2b716ce57f0af28d1223f4794cc8696d49ae2f29 |
| SHA256 | d09b49f2a30dcc13b7f0de8242fa57d0bdeb22f3b7e6c224be73bc4dd98d3c26 |
| SHA512 | 0396ea24a6744d48ce18f9ccb270880f74c4b6eab40f8f8baf5fd9b4ad2ac79b830f9b33c13a3fec0206a95ad3824395db6b1825302d1d401d26bdc9eef003b2 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | c7c4a49c6ee6b1272ade4f06db2fa880 |
| SHA1 | b4b5490a51829653cb2e9e3f6fbe9caf3ba5561e |
| SHA256 | 37f731e7b1538467288bf1d0e586405b20808d4bad05e47225673661bc8b4a9f |
| SHA512 | 62ccdfac19ef4e3d378122146e8b2cba0e1db2cc050b49522bedbf763127cc2103a56c5a266e161a51d5be6bd9a47222ee8bb344b383f13d0aac0baa41eab0ff |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | fbfcf220f1bf1051e82a40f349d4beae |
| SHA1 | 43154ea6705ab1c34207b66a0a544ac211c1f37d |
| SHA256 | 9b9a43b9a32a3d3c3de72b2acca41e051b1e604b45be84985b6a62fb03355e6d |
| SHA512 | e9ab17ceb5449e8303027a08afdbdd118cb59eaea0d5173819d66d3ee01f0cd370d7230a7d609a226b186b151fe2b13e811339fa21f3ec45f843075cedc2a5c0 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | bef17bf1ba00150163a2e1699ff5840a |
| SHA1 | 89145a894b17427f4cb2b4e7e814c92457fd2a75 |
| SHA256 | 48c71b2d0af6807f387d97ab22a3ba77b85bdf457f8a4f03ce79d13fbb891328 |
| SHA512 | 489d1b4d405edbb5f46b087a3ebf57a344bf65478b3cd5fcf273736ea6fdd33e54b1806fbb751849e160370df8354f39fc7ca7896a05b4660ad577a9e0e683e4 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 2c8e5e31e996e2c0664f4a945cece991 |
| SHA1 | 8522c378bdd189ce03a89199dd73ed0834b2fa95 |
| SHA256 | 1c556505a926fd5f713004e88d7f8d68177d7d40a406f6ed04af7bacd2264979 |
| SHA512 | 14b92e32fb0fd9c50aa311f02763cba50692149283d625a78b0549b811d221331cf1b1f46d42869500622d128c627188691d7de04c500f501acd720cea7c8050 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 77c5cc86b89eed37610b80f24e88dcc2 |
| SHA1 | d2142ecce3432b545fedc8005cc1bf08065c3119 |
| SHA256 | 3e8828ab7327f26da0687f683944ffc551440a3de1004cc512f04a2f498520f6 |
| SHA512 | 81de6533bba83f01fed3f7beed1d329b05772b7a13ffe395414299c62e3e6d43173762cb0b326ea7ecf0e61125901fcee7047e7a7895b750de3d714c3fe0cc67 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 4394dafed734dfe937cf6edbbb4b2f75 |
| SHA1 | 06ec8f1f8dd1eab75175a359a7a5a7ee08d7a57a |
| SHA256 | 35b247534f9a19755a281e6dc3490f8197dd515f518c6550208b862c43297345 |
| SHA512 | 33d9c5041e0f5b0913dd8826ceb080e2284f78164effde1dbf2c14c1234d6b9f33af6ae9f6e28527092ad8c2dbc13bddfc73a5b8c738a725ad0c6bb0aa7fcfaf |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 18bdfd4b9e28f7eba7cbb354e9c12fcb |
| SHA1 | 26222efacb3fce1995253002c3ce294c7045cf97 |
| SHA256 | 3105da41b02009383826ed70857de1a8961daeb942e9068d0357cddd939fa154 |
| SHA512 | 7d27eeff41b1e30579c2a813eea8385d8a9569bc1ece5310b0a3f375fba1894028c5cec2cf204e153a50411c5dcf1992e8ac38f1c068c8f8af9bd4897c379c04 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 7ddd5548e3c4de83d036b59dbf55867a |
| SHA1 | e56b4d9cfca18fb29172e71546dc6ef0383ac4e9 |
| SHA256 | 75f7b0937a1433ea7e7fa2904b02fd46296b31da822575c0a6bc2038805971ef |
| SHA512 | 9fb30ef628741cebbc0f80d07824e80c9c73e0e1341866f4e45dc362fea211d622aa1cffc9199be458609483f166f6c34c68b585efe196d370c100f9c7315e0d |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-string-l1-1-0.dll
| MD5 | d3d72d7f4c048d46d81a34e4186600b4 |
| SHA1 | cdcad0a3df99f9aee0f49c549758ee386a3d915f |
| SHA256 | fd8a73640a158857dd76173c5d97ceeba190e3c3eabf39446936b24032b54116 |
| SHA512 | 6bf9d2fdc5c2d8cd08bf543ef7a0cdcb69d7658a12bee5601eeb9381b11d78d3c42ef9dd7e132e37d1ec34cc3dc66df0f50aefadfdc927904b520fdc2f994f18 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | c99c9eea4f83a985daf48eed9f79531b |
| SHA1 | 56486407c84beecadb88858d69300035e693d9a6 |
| SHA256 | 7c416d52a7e8d6113ff85bf833cae3e11c45d1c2215b061a5bbd47432b2244a5 |
| SHA512 | 78b8fd1faada381b7c4b7b6721454a19969011c1d1105fc02ba8246b477440b83dc16f0e0ce0b953a946da9d1971b65315ac29dbb6df237a11becb3d981b16b9 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | a3f630a32d715214d6c46f7c87761213 |
| SHA1 | 1078c77010065c933a7394d10da93bfb81be2a95 |
| SHA256 | d16db68b4020287bb6ce701b71312a9d887874c0d26b9ebd82c3c9b965029562 |
| SHA512 | 920bb08310eadd7832011ac80edd3e12ce68e54e510949dbbde90adaac497debe050e2b73b9b22d9dc105386c45d558c3f9e37e1c51ed4700dd82b00e80410bc |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-time-l1-1-0.dll
| MD5 | a992f1e06c3c32ffe9799d4750af070a |
| SHA1 | 97ffd536d048720010133c3d79b6deed7fc82e58 |
| SHA256 | b401edaac4b41da73356de9b3358dc21f8b998a63413c868510dc734b1e4022f |
| SHA512 | 50bd08680fccff190454e6555e65e2787bdc0e8a9bf711e364eb0b065951c2430559e049202b8f330ac65e9d4cd588349c524a71f700e179859d7829d8e840b8 |
C:\LDPlayer\LDPlayer9\vbox64\GLES12Translator.dll
| MD5 | 67aa3be9383aa9d4fa87a86204c94498 |
| SHA1 | 234ed95e025b5112f9c1adfec445566713285872 |
| SHA256 | 290d913919fab9bb92e46556ef3e3fd8289765b8ad78ca4151aac3da2177364e |
| SHA512 | c0536a32b6756ca3387c3954f628b7e745ab7205057f17a6b6abeb31ac23590848d2a677bf47c33691ef65bb6d2387a7f6bb3bea18f46b5aac9678dac78ae632 |
C:\LDPlayer\LDPlayer9\vbox64\fastpipe.dll
| MD5 | 409ebc1afadf3d16022b4e1035c2aa36 |
| SHA1 | 27841836952efe7f6434ce4e43cabe469fcda7bc |
| SHA256 | 6bd84b68b1fa0d2033145acd054aeff56cbdafc5afcaf4893393a6e5e53a78e8 |
| SHA512 | 7c367bd17beda147c7bb6c2466bc9a12f8c7bea081930df3e7f66b1f30dcb20b26b54ed951d3f61637f78e7ccb2840ac98ca000ea4c602bc63ac6eb73a7b2430 |
C:\LDPlayer\LDPlayer9\vbox64\EGL.dll
| MD5 | a0c185f0e9589df63e9a4aa572284f50 |
| SHA1 | 52153a337e2d285ff2d23a583aff83583692a678 |
| SHA256 | 2e73a2b906bd033bf40f61e2f8bda8c8019c45cf1eca6302c8c4fccaa88975a3 |
| SHA512 | 73c1d780375c226fcc880d0fd87f6a9434010e2b0630c815abd4825950faf2d432d48fb354a9e71a8caa79fb9f3025355ac870cfa870831d742a950674a47dcf |
C:\LDPlayer\LDPlayer9\vbox64\crashreport.dll
| MD5 | ad1f619b7e63836ab0eaf82fb9df21f7 |
| SHA1 | 5bc45b682129011ab01fe5c86fd05454f4134db6 |
| SHA256 | d8b50ffccd50bb1d14e6fed2483acf93aeb3dc0be55ed9ce5a53641d1ba24c9a |
| SHA512 | e05e0e72efc26255356c4a55ef127ae68ec6fcac4af43f4d856c743b1f35751ea2cd7876cc6e1d193e5114a0df915bf9d911895e2d9395ed826066dcd817d891 |
C:\LDPlayer\LDPlayer9\vbox64\concrt140.dll
| MD5 | 65f2e5a61f39996c4df8ae70723ab1f7 |
| SHA1 | 7b32055335b37d734b1ab518dcae874352cd6d5c |
| SHA256 | 8032b43bdd2f18ce7eb131e7cd542967081bea9490df08681bf805ce4f4d3aab |
| SHA512 | 0b44153ac0c49170008fb905a73b0ab3c167a75dc2f7330aed503f3c0aedfd5164a92d6f759959a11eceb69e2918cb97c571a82715ad41f6b96888d59973f822 |
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | cb4a19b88bec5a8806b419cf7c828018 |
| SHA1 | 2bc264e0eccb1a9d821bca82b5a5c58dc2464c5d |
| SHA256 | 97e4c91103c186517fa248772b9204acf08fde05557a19efe28d11fb0932b1f7 |
| SHA512 | 381edd45ecd5d2bdefd1e3ad0c8465a32620dfa9b97717cadb6a584c9528fed0d599d5a4889962f04908ca4e2b7b4497f0e69d8481ee5f34ea5d9106d99760c3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 2a92634969853435300df4617c937112 |
| SHA1 | 1f3f17dbde288978a7e661210467e1c8aa1b93ea |
| SHA256 | ca446082b35bfdc05bde2cb890d291b7f5bd5350ba95a2c607365ece165974c1 |
| SHA512 | 7ff922461ec452c61dcc0a4a037882dfa30cc673e75e1c888891db87015c4fb2de5e0a690b9fee5b9a40227682277ffce9dc6b8dc8bf2d7ab17c06be740188c9 |
C:\LDPlayer\LDPlayer9\dnplayer.exe
| MD5 | fa2c08e402cc1c1fca849ba2e4eb56aa |
| SHA1 | 133dbe827d469e8dcfb792734f1fced97690efca |
| SHA256 | bd6ed960624c4ffb99ce82611f23365733df329b1ff3216590292ee8034a4421 |
| SHA512 | d96f84f06784f6d2c2182301ae4437303f5f3ab8936e6e3512606c28cc99de268bd186a4eb73b092c1e54995fa849c38080a26fe6dc2b8c1e7171781677d3eb6 |
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
| MD5 | 38f88ca4211fb378c41412c23af886e2 |
| SHA1 | 7c904c5fdf84d13ffd47703be39380861b5a6a7f |
| SHA256 | 6b149b8b72bf3631111f0e7b95b4dbe2646b786a3de1b414110438927d3f9c38 |
| SHA512 | 6ff289ee872bb96de9de4a3ef82d043f93542545f1555885bd4b6aa008892a8e3fd5f59eb4ed76a402aaa884989725168206aaec6582ea37bd556e7f642d681b |
C:\Users\Admin\AppData\Roaming\XuanZhi\fonts\Roboto-Regular.otf
| MD5 | 4acd5f0e312730f1d8b8805f3699c184 |
| SHA1 | 67c957e102bf2b2a86c5708257bc32f91c006739 |
| SHA256 | 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5 |
| SHA512 | 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837 |
memory/1304-1135-0x0000000035280000-0x0000000035290000-memory.dmp
memory/2992-1164-0x0000000002050000-0x0000000002060000-memory.dmp
memory/2992-1163-0x0000000001F30000-0x0000000001F40000-memory.dmp
memory/1304-1166-0x0000000004620000-0x0000000004622000-memory.dmp
memory/1304-1165-0x0000000004510000-0x0000000004512000-memory.dmp
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
| MD5 | 4d592fd525e977bf3d832cdb1482faa0 |
| SHA1 | 131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef |
| SHA256 | f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6 |
| SHA512 | afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77 |
memory/2496-1177-0x0000000073DF0000-0x00000000744DE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\favicon[1].ico
| MD5 | ec2c34cadd4b5f4594415127380a85e6 |
| SHA1 | e7e129270da0153510ef04a148d08702b980b679 |
| SHA256 | 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7 |
| SHA512 | c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88a32e72b08ebbf58e596aea3ec6492f |
| SHA1 | 29c7963395082117bfdff8335fcb82ceb97d4d3e |
| SHA256 | b668792a6ae7068f98170dc3e9ea13bac225df3f0d1555e9ea555bc5fd4a6212 |
| SHA512 | e6c75dc23a7966e808cf8cceebbb2d495c69da3c0e0f1d5a5346417a8e0e7cdfd7bfbcfd1088e1e3860bdc6a9baa39035f4a066390e5fe1a281347164a4dbae7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 688c94f197b6aef31390886c064e04a1 |
| SHA1 | 81ce6337a5d170b477b95d46956fcd6eec8c76dd |
| SHA256 | be3ca28721a78ed7c18e0535093f7cb5486b98b3b5cb55cb395526efb39f629c |
| SHA512 | 303d67ac240d3c4705f88d510f3ef585fc0424376edaca49e84e6d57a86772d9cb3095541995c6414052a472380002d3e736c932aa35a6987ce380f5c5c8f622 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c2c29761c780be4e4db35c5c284693f |
| SHA1 | 5220731c5a0bf889ebd09aa7c573b75d03f8737c |
| SHA256 | 3e01268bc2c90329b80c2e60c143dbb967eccd38fb60d01fece0626d41174cf1 |
| SHA512 | e277cb5b4c4474d8580a5ea8d7c927fee878f7712e634322eca56fe232de790131042dc72a1f83f93f6e681132d224399374b5c9e0e28fb972894fdbe9a759b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2cdef38af719d6e507c5a6aaaf8ac9ca |
| SHA1 | 95dbeed7f67373dbfbbb8ce9a6aa221e206a64ad |
| SHA256 | b7424015f0ebe6f4f94b972a41102cdf0d0a68e9c1b128259d564c2d0396e3c4 |
| SHA512 | 5edee7511cd23239deb6457aba558a5cf0a3a09af490c9d2a7b046a42758605e1277e1df434055df47a78f51dc34ed4199a02622ce3e6d1778e8630a24a2e4e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2319bf58f778785f3083d8ae40273da8 |
| SHA1 | 04bf0728e824b46e68c192fd883dfc90db897810 |
| SHA256 | 65a137423ecf6c96f8e2fe06217dff38393e902a9ec954372518d96503cb7023 |
| SHA512 | f94cc62e7e001559328f90d21c8bed3d8247bd3e191942ac2bffcb4dbda2a092288f17310d3e1694ff76ee4e5958a5596f28fed4b8613d99d12e04d47cecc7b2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e59c5a52fc9324eb53ee2e82313070af |
| SHA1 | 544d3328a3e75f4ef3cfd4b9e4259ab765062833 |
| SHA256 | b0da7b439f5628794af430169796ac869972050597b0446a5a0d599c383eaca0 |
| SHA512 | e17746aa73f785c7b54df2839bf75731a950ba80ce6b8d8fb2771216692d59ce80dcf1ff7690dfb49e808435acc65d2d942cfd90946c27343409fef956a723f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3273a45aa920227de7459fe17b797cb3 |
| SHA1 | 3fb7e7f958b45a3bb8fdd10c0b44909e622d2d35 |
| SHA256 | 20fe48e842e8e33c08b1e2ac08943371a84c014b8d3d73c27abc834ad8693cb4 |
| SHA512 | 61dbcfa9a2e62e3d6e6d4c1996fd0cf44d3e2b9d1a984d434c3483a8b5c2952030e1a305f799b231f40ab1e309c407f9fb2f8c417af118a7ef82abff9cce2eb6 |
memory/1304-1546-0x000000006C7F0000-0x000000006C86E000-memory.dmp
memory/1304-1547-0x000000006C240000-0x000000006C7E6000-memory.dmp
memory/1304-1551-0x000000006C1C0000-0x000000006C23A000-memory.dmp
memory/1304-1533-0x00000000693D0000-0x000000006ADCB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a1cc92cbe648608d7aec95dc2abfef79 |
| SHA1 | d091af992621969c309ee6ae0023edd245e87376 |
| SHA256 | 015a763e7dcf9168025e6a5e99f4e7b8e54cb66cf57c0e2b43132c3839830685 |
| SHA512 | 4b6a3275401dd73751cf961eaef3069efdcd75a4face65bfdbb907c4df1ee39b4fd08b573b92169591c46958c842f137c6f430af022fa8177a98e637c347ae39 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 019f12b911cf5bc709afaf1af4b35f2f |
| SHA1 | 2e8ca87871caca709dac977f9e7f024eccd62d52 |
| SHA256 | 55b3d7c813b1a53f35a4a89d0bac83e37d3acce652655eee5a97b6705f9a5cdd |
| SHA512 | 10b28e4073749f01a1f3d0f51af1f5c3c918cf6e1c8aaae7c94e9e4970c4815c671c51b89ffeae302d524296a667714044bb1e49142145b124fc189c565a94f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cda9d66072416a4d1f9f8db62d5a30fb |
| SHA1 | d3ba6bfd075e383225de87439df7386928441d34 |
| SHA256 | 1b98b319305cb727089024c222dff3316d3695cae0c0bce195be53317d1b8333 |
| SHA512 | 98e0205e0298edfc4eaed8fbcd60e935005701fb70356ab5d70df6291edae0c7742e84e25c9875a60bd1fa9dd5a7b391d25a1e7b4e9c610a9356a68a371fac78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4988c476f2e0c62b22ae6d2742f4f71e |
| SHA1 | 08a29943951251124c8ae40f9de59f95d7af2485 |
| SHA256 | 01233c97359959fddef4938c7b97478eb3a1ac6c7d318767b604b24f165abc35 |
| SHA512 | 1e8daae94c9a24b315513462c1987e816148f0eacfcd93fab9a2b7b5cf375317141486ae5c6ce9679e709f0f5db2162589ed89013bd8c4fed3f18881c5287dc3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\AV89ME3D\www.youtube[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\AV89ME3D\www.youtube[1].xml
| MD5 | c04a23bfe5d804e58434e57a9d8e636b |
| SHA1 | 9a494bbdb917089edb15836a1647a9d0d46d2225 |
| SHA256 | 993f20427b4b9e5693b47af848ccba6f7f2b4f7c4d01760138250134f96406c9 |
| SHA512 | f5464c4d17959ddc4f630ea96a8779234d78fc9e71436d4b647706961add380e4f7547cb0034b1d728dbc8b00873412bd5821b548985e86669468e9a2bfc47af |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\AV89ME3D\www.youtube[1].xml
| MD5 | 534bc1eb3a492ad30297d0ab6612f489 |
| SHA1 | e4fa9bab3cf28c049926028cf37b6def8bb2f634 |
| SHA256 | 7b208d0649abc44b04299b4d4702e9b7f9a17e9bbe863548958b2d8d5e36eebe |
| SHA512 | 96eadf6d37f0570ef4a181d8394dd200a6fe11500a8276c21c17861cd58869a99c3e20f3ebe04709e17614ff08f90443af6aeaf6337b7ed9a9fda958c3b42a21 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\AV89ME3D\www.youtube[1].xml
| MD5 | fcc5988dad4c7f34ac4a2473e2a255ad |
| SHA1 | ec759bd0d01b5b4992cafcbffeb66a633e6cab7d |
| SHA256 | 03de71c319aceb184c87df2f64818243f51043b1b9f33f1bc5494724db34b40d |
| SHA512 | 61d5cca451324f33371e721f8f95e1c4a105a6585ed982492e2273b5511bf132e17be95a3e12c2b977ab8ed3909122a3bac027d8a79b09192d9f85c855ab526f |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\AV89ME3D\www.youtube[1].xml
| MD5 | ca2c07abc639d06ce7e7a0a37e8ae99c |
| SHA1 | 00359c40e8887395063c685705b830a163a5f1f4 |
| SHA256 | 4334a507f983b97afe972302ada0e85f9a600b800d7282cb7e0bd1eb54dd6565 |
| SHA512 | 3ee2e7acdf29a90bad813a27fbc930af6e02e64bfe8efb128f96281a80284a2773af389fec219bf78c2c8332b09469dffa4ba04f472437a2023e871208f3f640 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af8d8f097b5f0d658613b4ea1160a85d |
| SHA1 | f6a04d1e2536a21bb9c0f8e471e4f4ecf4204dba |
| SHA256 | 394ad97aea878c864c567a7dc79feff9f83596a145b9329add12b6a97d622569 |
| SHA512 | 0914b6e939d8c9e79fe76403ec0a5634ec76e148cd35506e70a2d68c8f8834fa5370d1b2bfdbb2959afeeccdcf75988d5e310b69c8ed951cac7f6773ef7ad931 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 20:29
Reported
2024-10-12 20:32
Platform
win10v2004-20241007-en
Max time kernel
107s
Max time network
152s
Command Line
Signatures
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
Downloads MZ/PE file
Checks installed software on the system
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | res.ldrescdn.com | udp |
| GB | 163.181.154.238:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | dagswotxcmrj6.cloudfront.net | udp |
| DE | 108.156.253.228:443 | dagswotxcmrj6.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.154.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.253.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d1odpp2eg70dto.cloudfront.net | udp |
| CZ | 65.9.94.181:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| CZ | 65.9.94.181:443 | d1odpp2eg70dto.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 181.94.9.65.in-addr.arpa | udp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 49.4.219.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| GB | 163.181.154.238:443 | res.ldrescdn.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | middledata.ldplayer.net | udp |
| SG | 8.219.136.97:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 97.136.219.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
| MD5 | f45a92aba92be451667f7771edecdd32 |
| SHA1 | bb8496d04363a8ae818a9b3efc0fbcc1ba893f78 |
| SHA256 | 22e95eb59a7cb402fadc1783c7f3c613aa18ebd09480e30f4a6557df8d066b26 |
| SHA512 | a6d734db225021487df46b2f62fb7a71883e2aa8837eb0097082510d8f01b519842cd26700ce84f2e2fd9012cb396ea894123d31a0e3e22636ecb859f68010af |
memory/4328-12-0x0000000006AB0000-0x0000000006AC0000-memory.dmp
memory/4328-13-0x000000007238E000-0x000000007238F000-memory.dmp
memory/4328-18-0x0000000072C30000-0x0000000072C44000-memory.dmp
memory/4328-17-0x0000000004FF0000-0x0000000005004000-memory.dmp
memory/4328-19-0x0000000009950000-0x0000000009EF4000-memory.dmp
memory/4328-20-0x0000000009540000-0x00000000095D2000-memory.dmp
memory/4328-26-0x0000000003680000-0x00000000036C4000-memory.dmp
memory/4328-27-0x000000000A400000-0x000000000A49C000-memory.dmp
memory/4328-28-0x000000000A4A0000-0x000000000A506000-memory.dmp
memory/4328-29-0x000000000AA40000-0x000000000AF6C000-memory.dmp
memory/4328-30-0x0000000006AB0000-0x0000000006AC0000-memory.dmp
memory/4328-31-0x000000007238E000-0x000000007238F000-memory.dmp
memory/4328-32-0x0000000001250000-0x000000000125A000-memory.dmp
memory/4328-33-0x0000000005440000-0x0000000005490000-memory.dmp
memory/4328-34-0x000000000BBD0000-0x000000000BC82000-memory.dmp
memory/4328-35-0x000000000B170000-0x000000000B18A000-memory.dmp
memory/4328-36-0x000000000BB60000-0x000000000BB72000-memory.dmp
memory/4328-37-0x000000000BCB0000-0x000000000BCD0000-memory.dmp
memory/4328-38-0x000000000BD10000-0x000000000BD42000-memory.dmp
memory/4328-39-0x000000000BDC0000-0x000000000BE26000-memory.dmp
memory/4328-40-0x000000000BD50000-0x000000000BD6E000-memory.dmp
memory/4328-41-0x000000000BD70000-0x000000000BD8A000-memory.dmp
memory/4328-42-0x0000000072380000-0x0000000072B30000-memory.dmp
memory/4328-43-0x0000000072380000-0x0000000072B30000-memory.dmp
memory/4328-44-0x0000000072380000-0x0000000072B30000-memory.dmp