Analysis Overview
SHA256
d6f0c9d7efe02de528a908285a989cc41903bc34b3448e5638af551ef12f77a5
Threat Level: Likely malicious
The file dnrepairer.exe was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Creates new service(s)
Possible privilege escalation attempt
Modifies file permissions
Event Triggered Execution: Component Object Model Hijacking
Drops file in Program Files directory
Executes dropped EXE
Drops file in Windows directory
Loads dropped DLL
Launches sc.exe
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 10:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 10:47
Reported
2024-10-16 10:51
Platform
win7-20240903-en
Max time kernel
131s
Max time network
122s
Command Line
Signatures
Creates new service(s)
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\FuncName = "FormatVerisignExtension" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMMPreload.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\ossltest.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxNetLwf.cat | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qwindows.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxNetFltNobj.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSampleDriver.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\padlock.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\dpinst_64.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\ossltest.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcp100.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayer9box\Ld9BoxSup.inf | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\padlock.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBInstall.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxCpuReport.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDbg.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5PrintSupport.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDD.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcp120.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\vccorlib140.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5WinExtras.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstAnimate.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDTrace.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-convert-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp100.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSVGA3D.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcr100.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayer9box\Ld9BoxSup.cat | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-string-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\comregister.cmd | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup.inf | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0 | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qoffscreen.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxEFI64.fd | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\libcurl.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetLwfInstall.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File opened for modification | C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SUPInstall.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxGuestPropSvc.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMM.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\dpinst_86.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5Gui.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVMREQ.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBUninstall.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dism.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4521-44CC-DF95-186E4D057C83}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}\NumMethods\ = "56" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08a7-4c8f-910d-47aabd67253a} | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CLSID\ = "{20191216-c9d2-4f11-a384-53f0cf917214}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-057D-4391-B928-F14B06B710C5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4B81-0077-1DCB004571BA}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0547-448E-BC7C-94E9E173BF57}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-762E-4120-871C-A2014234A607}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\ = "IGuestDirectory" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\TypeLib | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-477A-2497-6759-88B8292A5AF0}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6FA-430E-6020-6A505D086387} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-3534-4239-B2DE-8E1535D94C0B} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-dad4-4496-85cf-3f76bcb3b5fa} | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}\TypeLib | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-f6d4-4ab6-9cbf-558eb8959a6a} | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ = "IGuestPropertyChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}\ = "IFramebufferOverlay" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\NumMethods | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1\CLSID\ = "{20191216-c9d2-4f11-a384-53f0cf917214}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D}\NumMethods | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20191216-9CEE-493C-B6FC-64FFE759B3C9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9849-4F47-813E-24A75DC85615}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\ = "IMachineStateChangedEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1F8B-4692-ABB4-462429FAE5E9} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-9849-4F47-813E-24A75DC85615}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7ba7-45a8-b26d-c91ae3754e37} | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ = "INATNetworkAlterEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\NumMethods\ = "13" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\ = "IVirtualBox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7006-40D4-B339-472EE3801844}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A2-41AF-A05F-D7C661ABAEBE}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\NumMethods | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7006-40D4-B339-472EE3801844}\ = "IGuestKeyboardEvent" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1f8b-4692-abb4-462429fae5e9} | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\ = "IAudioAdapter" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-B7DB-4616-AAC6-CFB94D89BA78} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3\FLAGS | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe
"C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe"
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\Users\Admin\AppData\Local\Temp\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\Users\Admin\AppData\Local\Temp\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\Users\Admin\AppData\Local\Temp\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\Users\Admin\AppData\Local\Temp\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\Users\Admin\AppData\Local\Temp\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\ldplayer9box\Ld9VirtualBox.exe
"C:\Program Files\ldplayer9box\Ld9VirtualBox.exe"
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
Network
Files
C:\Users\Admin\AppData\Local\Temp\vms\config\leidian0.config
| MD5 | cf7503fa9809c9c20545f9389513917f |
| SHA1 | 2fc4bc5c9fecb9f0d066724cb34c64c35d4e5976 |
| SHA256 | f499f65f1537f2621a12f1d7c9efca0806a513fcc3be47f65201e995521d429b |
| SHA512 | 2a6dcfe915328be76fdba61f55847d12369346737f2c19a1a992d4ff4fdfcfab9b15e330227bb100364cf7cd32f12a59757355d9627829d6758a0c28cc7faaaf |
\Program Files\ldplayer9box\Ld9BoxSVC.exe
| MD5 | ae1938a743370ac72ea249ade4f1bd92 |
| SHA1 | 382818d8f622b63420afebb3a11b5dec6daad9ad |
| SHA256 | 30cc644b8f4e4e55aa01c824001c3a58a8f1e946ba229c567cf01e2df3242339 |
| SHA512 | e7cc9ce120d7e984fa1de381dd309ad744fe9f18970d1230ee8b228b95d5d9cd668fa4ff38f3d1316d5a07c50838cf94ec57ccb60dea9bdad030875bfa6952b0 |
C:\Program Files\ldplayer9box\MSVCP100.dll
| MD5 | 0775f4c382842ce37cf8aa6d55835a6f |
| SHA1 | 6885f7cf2188fb2156b273cc790d23990b71ee9c |
| SHA256 | 4eda2ff10ce9659e78e7b64d90bd7967279924e2328bcd633023e629992e95ac |
| SHA512 | a8bc64b3b815cfcaf6271ec21eb8896647dd9a71a82aa52af9a66136c61a41ce2b78bcece7b9dd166926931ec5e95148b875c9f4494ff2aee9312fe4b8363587 |
\Program Files\ldplayer9box\msvcr100.dll
| MD5 | 7d2be35053f902b9d357ebc036a7e7de |
| SHA1 | c39e7b265b01441639572c76666c80ed1e62711f |
| SHA256 | 97e60c977788f7e1d485e66e057b613606ada7cf46a30f3052034059f659d4a9 |
| SHA512 | 70c1fbdb155c5c738974c054b9440fb34d372105d81e50459f46282a6104975b529c73550a724202829e9f3479cd616c288f816490264e4118e8785527ca6cbb |
C:\Program Files\ldplayer9box\VBoxDDU.dll
| MD5 | 408800fb12d863b3fe86d210e078181c |
| SHA1 | 5d8ab6f28d496b9a4f64ff733d01d8b80e793417 |
| SHA256 | 23301ab7b286261e874264d5ed33efb5f5a9d18459edf81524daba9d18aa304f |
| SHA512 | e09aad197b0dc707007295f09e6bb4a0b11e2ff3c03ba2d774984ddd67a2eee06ad5d85e3b6d39edbb35b475450bc9a0c3be990695cc039fed2b5abbb54ae9fb |
C:\Program Files\ldplayer9box\VBoxRT.dll
| MD5 | 163087045ef266bddc003d5b354fa21b |
| SHA1 | 74356b435b255d92f31486c18d8ea8aaa900ca2c |
| SHA256 | e500d1f6943149a847558aceb6a06e323875e2b3da6b00233a764d80d46eeb0d |
| SHA512 | 24e207b8158dd0f87b5ea24c036fd7cf52fa267c4b8bc58c4e27664975a5aaa1b9d1ee585bff732befdf4a07fc564437ac689e0f3c14377fa9513d636981585d |
\Program Files\ldplayer9box\libcurl.dll
| MD5 | 7c237f5682cf6491413b0d97dd842baa |
| SHA1 | c1ddd15b662e0df4c0d05cb4d4d0b9f4de55b51f |
| SHA256 | 1fdd8d10b981127e8b1bd351fb4138b467b131906fc2d9a1e9f66d94590061d4 |
| SHA512 | 2d00eac5f821aab4a2d9aca2ebb9addaacf45fa85801a41d0d27f1057696196317ba1fc093a2389ed8be2e5f0a805c7cd563f63cfcf46d5eb41849e64d880864 |
\Program Files\ldplayer9box\libssl-1_1-x64.dll
| MD5 | af673a3d9dd234099505cd088898b1a7 |
| SHA1 | db1e93e88aa8f6ebda14c948c86abfea3a6c89d2 |
| SHA256 | 75754372b2ce19df8fb989fd92527fe6cd3b559325073344985ef509b13d2054 |
| SHA512 | f99f7433c28eafe36a9abc4ab1b0e9d1ced6534adcf6c0bee08595bb9edbc96be81769912bbb0ce227ce187dbe7bca39a830560ff2d0bcae8fc5df9059f9772d |
\Program Files\ldplayer9box\msvcr120.dll
| MD5 | 448d1056a6379e6f797bca13a7bc377b |
| SHA1 | d36fe3ab178c017b23faf7c4dd18646994c15f90 |
| SHA256 | b3e24f5d4ae25b0a00db55e2dbfc835b12a329c52bae17321d6f0b9257c18a4e |
| SHA512 | ed86c2ec550b2c0e259b8c0db6c71090f6de4f72887b5d6584f8552dac2accc5bc2d1df85b368e91e99439f54168137007556a5898dd55528e2442bf2acff77d |
\Program Files\ldplayer9box\libcrypto-1_1-x64.dll
| MD5 | d260124015f4513f526363054045f51e |
| SHA1 | 2a1eefa0c3417c8ad9df0ef10557aefa4247c893 |
| SHA256 | 588a6fbdc9bcd10eec2ae6602b05339169e424e8d82929759758c1d01a7965b3 |
| SHA512 | 305331e0682110c60d5bbb0450f1e3e29fa5a9b435b9715285a5fcd91c7bb568e71ae32aefeae766735edf31f6fe1c91377a688adc3ec8b91aa489ceb8822ea3 |
C:\Program Files\ldplayer9box\VBoxC.dll
| MD5 | b32b83c2de0883ac611f487210450847 |
| SHA1 | eb15c0409ea80b30859376fc152e913153572895 |
| SHA256 | 5aaf6f66132230adaa2481a8be618f68089e4d25605f00d5f9763da39fa1e690 |
| SHA512 | 96644b27d678cdcd09a17413e76579f0ac082c6a1eb3c6565ab6d0419cab77d6cadc41eb10e89fed16ec7ad0fb3a9481c5b0a206c94f679776759e446ca9f8fc |
C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll
| MD5 | a7676f29972ea8a9d284d6b244d20f59 |
| SHA1 | 8e464700d172d26cd87ae958af4570a0c5356485 |
| SHA256 | df5e0c781d5b7e11b177ae8ca26941010830060e38ccaa3d1ae65b6e6df9fef3 |
| SHA512 | 7da24bb81194c2263eca3bc6ac1f12282d41ba5261373a030086b06bbbe77c477640185c6252ed4d69cb5e4b18fde52dfa81e6a60c2f263f60ac0b8948f32c41 |
C:\Program Files\ldplayer9box\x86\MSVCR100.dll
| MD5 | 5f7ec2f51a49bed740dab559d0c6fe2b |
| SHA1 | 8ced75060672cdc01b0cf846dd08f7015b2ad4a5 |
| SHA256 | d5f882aa60982aed1ad06305508e6894ea349373b9451487af9b9ee9db451906 |
| SHA512 | ba840acf1c9960c1bd4b9b0a1b57b3baad23b35e7c11e96411f788155a4fec31f563d4214ad7a7d980552dc76a4265b8680c39be86df400a3bd5ddc9a96b76b2 |
C:\Program Files\ldplayer9box\x86\MSVCP100.dll
| MD5 | fefc82479f2f1e74f63e7cdfcd650e9e |
| SHA1 | 8546b1ec3622196dca2f95550bda0ec05c2bcbcc |
| SHA256 | cbf1335732db37d0c3d1da222f6e2e740114277b0e5cd3ef4f8aea2d2e790401 |
| SHA512 | b6732df7567d35d53f4c0c351053a5c6505bd87f01a9ce8c4b36b3744b3c5dc11c9fa16dae4b2d0037985ca77f48dafde8841466ae678a38eae17b33c820f162 |
C:\Program Files\ldplayer9box\x86\VBoxRT-x86.dll
| MD5 | e0590edd0953c6ba5c3497668a7643c6 |
| SHA1 | 84ab263ca5e2d8d6b40277e4c1deac797bf4e104 |
| SHA256 | 08c953e6de890b2b7b495874022867cfe3df3b92b64d693a93321644ec805086 |
| SHA512 | 45180ff07cf6b24cf4c19ead67f299da54c6f2e85bfa31deeb5a5afa7bc9d836d67033f1257ce79b53724ac84a23e36a779187087e3cafae496a8604919d0ec8 |
C:\Program Files\ldplayer9box\x86\libcurl.dll
| MD5 | 92879101dd29c1fd63081ba1a6fa431f |
| SHA1 | c02ebd7811a8ab708afbee8b3c425497f602edbd |
| SHA256 | 2d3f05461247120f37539581cdd3ea6933c85d878cdcd96cc87f7e0dd8b77aa2 |
| SHA512 | 43ee0fc27181bfbe5feb4ffc4909bd9ba1291cc376123404b4c7ad63f1933cb016ba58bd3ada6a20f5ecbe7625838f6825107c5029e6e69476fa3dc8f920ab39 |
C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll
| MD5 | c3e4a5a9a1fc7e2a6c0f0834d76a884a |
| SHA1 | e560057493ff71ac1fdba455f6bb88c4d3d0aa1a |
| SHA256 | 23fb942f8952bb8b756b06660ea0bc47552877cdd4b39ae494d3dd9597727a28 |
| SHA512 | 687f2c9afef0433d421663524af48f1610a529d4e774ca68171b7e26c442a572df8ecce58886538dbd2256d2e11291c9b03d7c85096c3425fd55b09f8a487723 |
\Program Files\ldplayer9box\x86\libssl-1_1.dll
| MD5 | b933c341d69ff40a7b375f39f3d732f3 |
| SHA1 | a32f770081206a727d79e414cad28918fc7757ef |
| SHA256 | 579ffe8e14f2c325e70eb456d858fef27b54f995864ed28c596096a1128d2b5a |
| SHA512 | 5007855710bc8d37b86653ef50ff38e1026bec022f1b79effcbc3c606c5f4efbe81196e26b9282052168c737acd178e77b71f7bf53d9c472d3838ed5ce17719e |
C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll
| MD5 | 3458829890d73d60f062d89498ff5fe9 |
| SHA1 | f9e875f1a3f8d01f8dfc4c885fb79b75a78ce508 |
| SHA256 | 0eeb8100737be41147a575b7e623c866ce5eeab88e766faa0279eb71156965df |
| SHA512 | 0881bad57695540c4f062663a65dc95ae83b54cf2abc75eab68592df9482636bac10247b4829209f2eba42bf31b7aeb2a2ef69ae313dc10b71783fc6bdfc291a |
\Program Files\ldplayer9box\x86\msvcr120.dll
| MD5 | 3b42834ddacbe223d645fd953e8c3517 |
| SHA1 | 06337143e59b8aef4995ea92b1c922a48bb17279 |
| SHA256 | 080fe71295b26c582f175ead2c31722fb9bbc317c4454aee6e5304246f93ae8f |
| SHA512 | f1d4861d78411feee259e6988ab6a7322e86692a4fe426825eb22145b372244e51a2c94670aa7d6d6896828a10d9d28ac260fbf9a63bac97f2d5ce81fd3119d5 |
\Program Files\ldplayer9box\VBoxProxyStub.dll
| MD5 | f80c0af218d68a85dc450dee6ded4cf1 |
| SHA1 | 3e67defbeb14f5ad593f736eba0c89de5263f551 |
| SHA256 | aac2d12caf56b0a68e01ef5ea677d00d30a3dee4950789f01aef23733a1832b4 |
| SHA512 | 7f5274e88e6f65a1f3d4b0080ed0bc2de6da23dcaae323222adcbd05aa6ae9f21ecf63eee265f3aceabab5a694b5ce11040b77d3b1140a5388b85410c92e96ee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4de673b73055fe5662e9dd1d6fa31f89 |
| SHA1 | 0ddae2c09ec12edd13af0a89e046a9576fd791c6 |
| SHA256 | 6fb1036ab0a66504934a205530f8d0328ed2b071ebb66420a01eab05ed7a0b60 |
| SHA512 | 73b6636ada01a4ec134c0e27dd8ba1aa0e09f315406557f4e68f098800509c332b05402a8eeb9de5dba8f85cc0ca653469e320f565eaa0886a977acd95e21276 |
memory/1956-280-0x0000000073CE0000-0x0000000074242000-memory.dmp
memory/1956-282-0x000000013F220000-0x000000013F442000-memory.dmp
memory/1956-281-0x000007FEF3010000-0x000007FEF5349000-memory.dmp
memory/2428-284-0x0000000002040000-0x0000000002050000-memory.dmp
memory/2428-283-0x0000000002030000-0x0000000002040000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 10:47
Reported
2024-10-16 10:51
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Creates new service(s)
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustInit" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "WVTAsn1IntentToSealAttributeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVBoxDbg.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBUninstall.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSDL.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxAuth.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxHostChannel.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\concrt140.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcp100.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxNetLwf-PreW10.cat | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDragAndDropSvc.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-math-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\bldRTIsoMaker.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5Gui.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-handle-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9VMMR0.r0 | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\loadall.cmd | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetLwfUninstall.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstAnimate.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxManage.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxRes.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup.sys | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxRT.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0 | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\vccorlib140.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxNetLwf.sys | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SUPInstall.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVMREQ.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp100.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp120.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetAdpInstall.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qminimal.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMMPreload.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qoffscreen.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SDL.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxBugReport.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcr100.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\vbox-img.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxCAPI.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxInstallHelper.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxEFI32.fd | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\platforms\qwindows.dll | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SUPLoggerCtl.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxNetNAT.exe | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\dismhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\dismhost.exe | N/A |
| N/A | N/A | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dism.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ = "IVirtualBoxClient" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3188-4C8C-8756-1395E8CB691C} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7997-4595-A731-3A509DB604E5}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ = "ICertificate" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ = "IExtPackPlugIn" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07}\ = "IFormValue" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-057D-4391-B928-F14B06B710C5}\ = "IGuestFileEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\NumMethods\ = "23" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7193-426C-A41F-522E8F537FA0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-32E7-4F6C-85EE-422304C71B90}\NumMethods\ = "8" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8690-11E9-B83D-5719E53CF1DE} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C380-4510-BC7C-19314A7352F1}\ = "INATRedirectEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A2-41AF-A05F-D7C661ABAEBE}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-762E-4120-871C-A2014234A607}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CD54-400C-B858-797BCB82570E}\ = "IPerformanceCollector" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DAD4-4496-85CF-3F76BCB3B5FA}\NumMethods\ = "30" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1\CLSID\ = "{20191216-c9d2-4f11-a384-53f0cf917214}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CurVer\ = "VirtualBox.Session.1" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}\ = "IUSBDeviceFilter" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-42DA-C94B-8AEC-21968E08355D}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods\ = "14" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\NumMethods\ = "12" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\NumMethods\ = "22" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-32E7-4F6C-85EE-422304C71B90} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C65-11EA-AD23-0FF257C71A7F}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\NumMethods\ = "44" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7708-444B-9EEF-C116CE423D39}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486E-472F-481B-969746AF2480}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\NumMethods\ = "19" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}\ = "IEventSourceChangedEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\ = "IExtPackBase" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3618-4EBC-B038-833BA829B4B2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07}\NumMethods\ = "26" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486E-472F-481B-969746AF2480} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-800A-40F8-87A6-170D02249A55}\ = "IExtraDataCanChangeEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\ = "IEventSource" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ = "IBandwidthGroup" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7071-4894-93D6-DCBEC010FA91} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe
"C:\Users\Admin\AppData\Local\Temp\dnrepairer.exe"
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\Users\Admin\AppData\Local\Temp\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\Users\Admin\AppData\Local\Temp\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\Users\Admin\AppData\Local\Temp\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\Users\Admin\AppData\Local\Temp\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\dismhost.exe {DC013FD3-1149-4AB1-8940-985263AB8B76}
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\Users\Admin\AppData\Local\Temp\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\vms\config\leidian0.config
| MD5 | b52546c702f5ac4faa0285f0efea06b2 |
| SHA1 | 42acb6d098615d26bd0930f1cd8b5f60fc3fc5c5 |
| SHA256 | b629c5c0e22961d90790e01f15ab1ee21aa81b4fc6a8eab51837be574f09fe1f |
| SHA512 | 648c263887cbe98e20bf886a6842f04cb12f464426e978bc0391ebb54b37e829f7b9ad07a378644fd0cca8f3cd11bc52d45f5de5777a1ef69005be4e1c3bfd14 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | ba75a9ed923917e9b692ddae7a03c27e |
| SHA1 | 0d5f7e77cd46e03514d3b4d51af7bd37b9ea025e |
| SHA256 | 6f9daa5c3f2922c15d7ec89fc8ad49a4c48298f7afa8b4877ef3e2b713a2e5e9 |
| SHA512 | db62137e0a2620fe5af55861bac9d845a32afcd499cd7880c8d1b99f6cb832480a661ffe39ecd41ee9b7e01a91325700e60ffa2c8396efee63af1fb5d57ed660 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\AssocProvider.dll
| MD5 | 94dc379aa020d365ea5a32c4fab7f6a3 |
| SHA1 | 7270573fd7df3f3c996a772f85915e5982ad30a1 |
| SHA256 | dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907 |
| SHA512 | 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\AppxProvider.dll.mui
| MD5 | bd0dd9c5a602cb0ad7eabc16b3c1abfc |
| SHA1 | cede6e6a55d972c22da4bc9e0389759690e6b37f |
| SHA256 | 8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3 |
| SHA512 | 86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\DmiProvider.dll.mui
| MD5 | b7252234aa43b7295bb62336adc1b85c |
| SHA1 | b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f |
| SHA256 | 73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c |
| SHA512 | 88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\DmiProvider.dll
| MD5 | ea8488990b95ce4ef6b4e210e0d963b2 |
| SHA1 | cd8bf723aa9690b8ca9a0215321e8148626a27d1 |
| SHA256 | 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98 |
| SHA512 | 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\FfuProvider.dll
| MD5 | df785c5e4aacaee3bd16642d91492815 |
| SHA1 | 286330d2ab07512e1f636b90613afcd6529ada1e |
| SHA256 | 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271 |
| SHA512 | 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\FolderProvider.dll
| MD5 | 4f3250ecb7a170a5eb18295aa768702d |
| SHA1 | 70eb14976ddab023f85bc778621ade1d4b5f4d9d |
| SHA256 | a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461 |
| SHA512 | e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\MsiProvider.dll.mui
| MD5 | c5e60ee2d8534f57fddb81ffce297763 |
| SHA1 | 78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2 |
| SHA256 | 1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145 |
| SHA512 | ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\TransmogProvider.dll
| MD5 | 84ae9659e8d28c2bd19d45dbe32b6736 |
| SHA1 | 2a47058eafab4135a55575a359fbd22390788e93 |
| SHA256 | 943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4 |
| SHA512 | d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\WimProvider.dll.mui
| MD5 | da1c1b3e004b71b15638d091c0c82c56 |
| SHA1 | a1195ca1caa80e9f463c443737d97b4b966fae0f |
| SHA256 | a9eebcb85a0271061ac620ff9d2a6d22332721c782aeb06ab1ccf1149bff2aa4 |
| SHA512 | df373693e971a85397850107f233914a09478cbeee9b1e1903154f8693842b66fdb2ea0de4403aea7cdeca0c70d0723733c8a2938e90e07987d5eace6b481ef5 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\WimProvider.dll
| MD5 | 229df404d67e69e57f9e284a66f2adeb |
| SHA1 | 7f4f703dbe8c274f5104d4d104dafcadf0c3857b |
| SHA256 | 8b7821a1fb9170c6aa1ec25eea378f43661812eba25064bb95999156b472c377 |
| SHA512 | 917912cdfcf1d46f691cadc6e7aaae1a302a66721beec0e9b22e394592b290605caf410221045f2ce89896e5d9602ee4946202f2de9390e92c8aaa5a609b3a54 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\VhdProvider.dll.mui
| MD5 | 0656529f4d1b3ff2d4deffbaf18ce95b |
| SHA1 | ffcf4f53bf767bcd4f6044082b82c4f25598b5c6 |
| SHA256 | 2ba085379434b3f9fcb0c70c2bd02a7f4f0170e6160578a583eb42c8d333fab7 |
| SHA512 | f17b6c4087498af8951ea0f80f65923713e410458669f3e19624ab6e225222d1f2bb1e6779e5aae328aca88acec940dcf9c9447b83dd27dc6616625f005dec1c |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\VhdProvider.dll
| MD5 | c6488a9b3569230669c72f3239cbc108 |
| SHA1 | 87b9b2ab5de52f246c1936480463bd402ad519b9 |
| SHA256 | 4ed23b46188dae12523f96a2755434c0574cd27584f9921133b0b4c1017b8a36 |
| SHA512 | 47ae886893032306e9b69b2d1c736ce23061b5be7552d2ed1d680b91e45fe0225b5acb12b83f6d572ef0b270dbaa47af3320516f4bfadb0a2889a9ffed45a66f |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\UnattendProvider.dll.mui
| MD5 | 8acee3337dfd444254bb8abdd3c29ada |
| SHA1 | 25d98d3426f32fa199c026b6eb829b469609b2e3 |
| SHA256 | 11f7957b8cc57dd7176f62b0612e658d6588b7caa8be4db3a337953b02b98c24 |
| SHA512 | 2849978060fa6e1fcfa37c870ae59ef22a67c0f8653468e07803422497fcc7275409ed0c36fe2d8e88026c13c82705abed771b4492761eead24cb5c32bdf2ea7 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\UnattendProvider.dll
| MD5 | f7bd21c4170b1397eb098fa18ef45d4b |
| SHA1 | 05d36abc4853eda468eab68d289337962c76195f |
| SHA256 | 05da5af89fafe492adf5255a7dbf16468be6d130ee8a9d713ab2182c72346db0 |
| SHA512 | 8a804bfe27f25b9d7c87cfb6951e1f1254e984ff9eada0b1547c30352397438d2c9e2f1c3b42c2db43f693b08224e0c7b7a17cd0b21ced893e12c330b91355ff |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\TransmogProvider.dll.mui
| MD5 | 2138fda89b1a5a18b32aed1d8762cde5 |
| SHA1 | a476f7dc86e62c7dc0edf27bb778174348cac566 |
| SHA256 | a75288f9e83cccf2a6a644ff78e6c26dadd5772a2626f80120b81975664e7dab |
| SHA512 | d7cbf569b5d57730c81fc121e92e1042a37e07922c02f36efac3769622f40234c70dafe9ed88a659d90c3855b5240f67f99b55ddecc46eea0e28e5b80ecc820b |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\SysprepProvider.dll.mui
| MD5 | 93d076056dd01dfc64d95d4c552a2dff |
| SHA1 | a90fd06a62c6d63d87e00f5f7e9646b44d2c726a |
| SHA256 | 4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4 |
| SHA512 | b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\SysprepProvider.dll
| MD5 | 8bd67d87dbdcf881fb9c1f4f6bf83f46 |
| SHA1 | 10bd2e541b6a125c29f05958f496edf31ff9abb1 |
| SHA256 | f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204 |
| SHA512 | 258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\SmiProvider.dll.mui
| MD5 | f32e38247d0b21476bbfb49989478f7e |
| SHA1 | b950fd72ea2a6a94ee049454df562aed79ca1e35 |
| SHA256 | a1a302e940f6d6718700737b787af7a2053ef68b5ea2ec61497e7ae2444c5835 |
| SHA512 | f483807d790a4bc3e68d6d1f986bd4a57b4a67c91fb3dbef88220a4b510f11d1190cdd98a857eb1937e921e668dff2bcb5e4a7df640b1f3639ce6d2239ff8106 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\SmiProvider.dll
| MD5 | ad7bbb62335f6dc36214d8c9fe1aaca0 |
| SHA1 | f03cb2db64c361d47a1c21f6d714e090d695b776 |
| SHA256 | ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb |
| SHA512 | 4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\SetupPlatformProvider.dll.mui
| MD5 | 73e78fbbf6e6679fa643441c66628d37 |
| SHA1 | 57b70e6226c0cf3f8bc9a939f8b1ec411dedeff5 |
| SHA256 | 5d4dfc9bde18be1ec0b3834a65de6abab581e04c8c4f66ee14a62fb4b1b4cd06 |
| SHA512 | a045a6cdf9ca989b3ed9a50cda208affa17372f65b1d86e1bf4c10b5d5e3fee58c5d4b8ec0749a54e2e2156ed0e9776b59a8d3b78f062349873cb574ab3f77fa |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\SetupPlatformProvider.dll
| MD5 | 1ae66f4524911b2728201fff6776903c |
| SHA1 | 68bea62eb0f616af0729dbcbb80dc27de5816a83 |
| SHA256 | 367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3 |
| SHA512 | 7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\ProvProvider.dll.mui
| MD5 | b8a8c6c4cd89eeda1e299c212dc9c198 |
| SHA1 | f88c8a563b20864e0fc6f3d63fadda507aa2e96e |
| SHA256 | 50ad19e21b6425d12aa57cd4656748877db1f147189ec44abb19ba90be8505ea |
| SHA512 | 4a6f0dac5b3b18e4942ce5f51b566ce3ba465baa43457384ee785d1c0e7c33f9b9396a143aac0398a34e4e2f7d704ba06d3cc68761fd3cb6f53f4043a906e475 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\ProvProvider.dll
| MD5 | 70c34975e700a9d7e120aaecf9d8f14b |
| SHA1 | e24d47f025c0ec0f60ec187bfc664e9347dc2c9c |
| SHA256 | a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7 |
| SHA512 | 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\OSProvider.dll.mui
| MD5 | 0633e0fccd477d9b22de4dd5a84abe53 |
| SHA1 | e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9 |
| SHA256 | b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706 |
| SHA512 | e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\OfflineSetupProvider.dll.mui
| MD5 | 015271d46ab128a854a4e9d214ab8a43 |
| SHA1 | 2569deff96fb5ad6db924cee2e08a998ddc80b2a |
| SHA256 | 692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec |
| SHA512 | 6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\OfflineSetupProvider.dll
| MD5 | 9cd7292cca75d278387d2bdfb940003c |
| SHA1 | bab579889ed3ac9cb0f124842c3e495cb2ec92ac |
| SHA256 | b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f |
| SHA512 | ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\MsiProvider.dll
| MD5 | 9a760ddc9fdca758501faf7e6d9ec368 |
| SHA1 | 5d395ad119ceb41b776690f9085f508eaaddb263 |
| SHA256 | 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f |
| SHA512 | 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\LogProvider.dll.mui
| MD5 | 8933c8d708e5acf5a458824b19fd97da |
| SHA1 | de55756ddbeebc5ad9d3ce950acba5d2fb312331 |
| SHA256 | 6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6 |
| SHA512 | ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\IntlProvider.dll.mui
| MD5 | 2eb303db5753eb7a6bb3ab773eeabdcb |
| SHA1 | 44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4 |
| SHA256 | aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f |
| SHA512 | df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\IntlProvider.dll
| MD5 | 510e132215cef8d09be40402f355879b |
| SHA1 | cae8659f2d3fd54eb321a8f690267ba93d56c6f1 |
| SHA256 | 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52 |
| SHA512 | 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\ImagingProvider.dll.mui
| MD5 | f2e2ba029f26341158420f3c4db9a68f |
| SHA1 | 1dee9d3dddb41460995ad8913ad701546be1e59d |
| SHA256 | 32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3 |
| SHA512 | 3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\ImagingProvider.dll
| MD5 | 35e989a1df828378baa340f4e0b2dfcb |
| SHA1 | 59ecc73a0b3f55e43dace3b05ff339f24ec2c406 |
| SHA256 | 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d |
| SHA512 | c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\IBSProvider.dll.mui
| MD5 | d4b67a347900e29392613b5d86fe4ac2 |
| SHA1 | fb84756d11bfd638c4b49268b96d0007b26ba2fb |
| SHA256 | 4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5 |
| SHA512 | af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\IBSProvider.dll
| MD5 | 120f0a2022f423fc9aadb630250f52c4 |
| SHA1 | 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7 |
| SHA256 | 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0 |
| SHA512 | 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\GenericProvider.dll.mui
| MD5 | d6b02daf9583f640269b4d8b8496a5dd |
| SHA1 | e3bc2acd8e6a73b6530bc201902ab714e34b3182 |
| SHA256 | 9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0 |
| SHA512 | 189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\GenericProvider.dll
| MD5 | ef7e2760c0a24453fc78359aea3d7869 |
| SHA1 | 0ea67f1fd29df2615da43e023e86046e8e46e2e1 |
| SHA256 | d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a |
| SHA512 | be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\FolderProvider.dll.mui
| MD5 | 22b4a3a1ec3b6d7aa3bc61d0812dc85f |
| SHA1 | 97ae3504a29eb555632d124022d8406fc5b6f662 |
| SHA256 | c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105 |
| SHA512 | 9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\FfuProvider.dll.mui
| MD5 | dc826a9cb121e2142b670d0b10022e22 |
| SHA1 | b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9 |
| SHA256 | ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a |
| SHA512 | 038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\dismprov.dll.mui
| MD5 | 7d06108999cc83eb3a23eadcebb547a5 |
| SHA1 | 200866d87a490d17f6f8b17b26225afeb6d39446 |
| SHA256 | cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311 |
| SHA512 | 9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\DismCore.dll.mui
| MD5 | 7a15f6e845f0679de593c5896fe171f9 |
| SHA1 | 0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4 |
| SHA256 | f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419 |
| SHA512 | 5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\DismCore.dll
| MD5 | b1f793773dc727b4af1648d6d61f5602 |
| SHA1 | be7ed4e121c39989f2fb343558171ef8b5f7af68 |
| SHA256 | af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e |
| SHA512 | 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\CbsProvider.dll.mui
| MD5 | 6c51a3187d2464c48cc8550b141e25c5 |
| SHA1 | a42e5ae0a3090b5ab4376058e506b111405d5508 |
| SHA256 | d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199 |
| SHA512 | 87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\en-US\AssocProvider.dll.mui
| MD5 | 8833761572f0964bdc1bea6e1667f458 |
| SHA1 | 166260a12c3399a9aa298932862569756b4ecc45 |
| SHA256 | b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5 |
| SHA512 | 2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8 |
C:\Users\Admin\AppData\Local\Temp\EF4E15D1-5AA7-4364-B1B5-CDFA6BC8D710\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
C:\Windows\Logs\DISM\dism.log
| MD5 | ffb5e9e73e2c03833b4737d37310fc3b |
| SHA1 | 1e4d9b5eed08a857f990202c0f99ce9f2502a2e0 |
| SHA256 | 0042fd9bb5a3917c4c8d6fbdea093c3ddb7c0f7f0b6b346095e5ad4c732639ab |
| SHA512 | 170df4948bb676e828ebdbc670c9757631460dd572ba4662ba8d34fab2e667a92ac17ef0405831de38f5f3121404fbb71fc38ace461b547ef0b7e3fd452bda7e |
memory/3480-529-0x0000000000D20000-0x0000000000D56000-memory.dmp
memory/3480-530-0x0000000004D80000-0x00000000053A8000-memory.dmp
memory/3480-531-0x0000000004C40000-0x0000000004C62000-memory.dmp
memory/3480-533-0x0000000005490000-0x00000000054F6000-memory.dmp
memory/3480-532-0x0000000005420000-0x0000000005486000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0egvm23.sxt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3480-543-0x0000000005500000-0x0000000005854000-memory.dmp
memory/3480-544-0x0000000005AE0000-0x0000000005AFE000-memory.dmp
memory/3480-545-0x0000000005B10000-0x0000000005B5C000-memory.dmp
memory/3480-547-0x00000000703E0000-0x000000007042C000-memory.dmp
memory/3480-546-0x00000000060C0000-0x00000000060F2000-memory.dmp
memory/3480-557-0x0000000006CB0000-0x0000000006CCE000-memory.dmp
memory/3480-558-0x0000000006CE0000-0x0000000006D83000-memory.dmp
memory/3480-559-0x0000000007460000-0x0000000007ADA000-memory.dmp
memory/3480-560-0x0000000006E10000-0x0000000006E2A000-memory.dmp
memory/3480-561-0x0000000006E80000-0x0000000006E8A000-memory.dmp
memory/3480-562-0x0000000007090000-0x0000000007126000-memory.dmp
memory/3480-563-0x0000000007010000-0x0000000007021000-memory.dmp
memory/3480-564-0x0000000007060000-0x000000000706E000-memory.dmp
memory/3480-565-0x0000000007130000-0x000000000714A000-memory.dmp
memory/5096-573-0x0000000005F50000-0x00000000062A4000-memory.dmp
memory/5096-578-0x00000000703E0000-0x000000007042C000-memory.dmp
memory/4340-598-0x0000000005880000-0x0000000005BD4000-memory.dmp
memory/4340-599-0x00000000703E0000-0x000000007042C000-memory.dmp