10c59dd6cef6195616ec76184885c1ed1134f9c2ca801652c81a018d040ebbe4

Analysis

max time kernel
138s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_es_1009_ld.exe
Size

2.5MB
MD5

6908b774daad336d0ab1c55f55c344c4
SHA1

04ea8a943ca41fe152a4c2ec99ede83967d546f3
SHA256

10c59dd6cef6195616ec76184885c1ed1134f9c2ca801652c81a018d040ebbe4
SHA512

aa283489d2474f7b8a5f2bb6f524aa5c3f99932b61e52737db36b8cc7b168e6040217ec69860592e473fab6df5597cc30ce79c23b17805f6cf3c854f41d41de8
SSDEEP

49152:GNfatughHaKLIKN1cueXlaYbsISTb/am5B8y6sEUhSSwoUK0:Gla4ghHaKMu2IYbsIW/amj8yF8SE

Score

8^/10

discovery execution exploit persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLREMOVESIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
656	icacls.exe
2692	takeown.exe
1876	icacls.exe
220	takeown.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
220	takeown.exe
656	icacls.exe
2692	takeown.exe
1876	icacls.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	LDPlayer9_es_1009_ld.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\host_manager.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCAPI.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libssl-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libssl-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVBoxDbg.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VirtualBoxVM.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Gui.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRT.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VirtualBox.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\load.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxHostChannel.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestPropSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qminimal.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPLoggerCtl.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libOpenglRender.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES12Translator.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Executes dropped EXE 4 IoCs

pid	Process
4828	LDPlayer.exe
4928	dnrepairer.exe
1044	dismhost.exe
732	Ld9BoxSVC.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2024	sc.exe
2588	sc.exe
3176	sc.exe
1140	sc.exe
1560	sc.exe

Loads dropped DLL 53 IoCs

pid	Process
4928	dnrepairer.exe
4928	dnrepairer.exe
4928	dnrepairer.exe
4928	dnrepairer.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
1044	dismhost.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
732	Ld9BoxSVC.exe
656	regsvr32.exe
656	regsvr32.exe
656	regsvr32.exe
656	regsvr32.exe
656	regsvr32.exe
656	regsvr32.exe
656	regsvr32.exe
656	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe
1180	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_es_1009_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}	dnrepairer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3996	LDPlayer9_es_1009_ld.exe
3996	LDPlayer9_es_1009_ld.exe
3996	LDPlayer9_es_1009_ld.exe
3996	LDPlayer9_es_1009_ld.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4928	dnrepairer.exe
4928	dnrepairer.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4828	3996	LDPlayer9_es_1009_ld.exe	115
PID 3996 wrote to memory of 4828	3996	LDPlayer9_es_1009_ld.exe	115
PID 3996 wrote to memory of 4828	3996	LDPlayer9_es_1009_ld.exe	115
PID 4828 wrote to memory of 4928	4828	LDPlayer.exe	125
PID 4828 wrote to memory of 4928	4828	LDPlayer.exe	125
PID 4828 wrote to memory of 4928	4828	LDPlayer.exe	125
PID 4928 wrote to memory of 1852	4928	dnrepairer.exe	126
PID 4928 wrote to memory of 1852	4928	dnrepairer.exe	126
PID 4928 wrote to memory of 1852	4928	dnrepairer.exe	126
PID 1852 wrote to memory of 4312	1852	net.exe	128
PID 1852 wrote to memory of 4312	1852	net.exe	128
PID 1852 wrote to memory of 4312	1852	net.exe	128
PID 4928 wrote to memory of 4532	4928	dnrepairer.exe	129
PID 4928 wrote to memory of 4532	4928	dnrepairer.exe	129
PID 4928 wrote to memory of 4532	4928	dnrepairer.exe	129
PID 4928 wrote to memory of 1648	4928	dnrepairer.exe	130
PID 4928 wrote to memory of 1648	4928	dnrepairer.exe	130
PID 4928 wrote to memory of 1648	4928	dnrepairer.exe	130
PID 4928 wrote to memory of 2676	4928	dnrepairer.exe	131
PID 4928 wrote to memory of 2676	4928	dnrepairer.exe	131
PID 4928 wrote to memory of 2676	4928	dnrepairer.exe	131
PID 4928 wrote to memory of 428	4928	dnrepairer.exe	132
PID 4928 wrote to memory of 428	4928	dnrepairer.exe	132
PID 4928 wrote to memory of 428	4928	dnrepairer.exe	132
PID 4928 wrote to memory of 4000	4928	dnrepairer.exe	133
PID 4928 wrote to memory of 4000	4928	dnrepairer.exe	133
PID 4928 wrote to memory of 4000	4928	dnrepairer.exe	133
PID 4928 wrote to memory of 2920	4928	dnrepairer.exe	134
PID 4928 wrote to memory of 2920	4928	dnrepairer.exe	134
PID 4928 wrote to memory of 2920	4928	dnrepairer.exe	134
PID 4928 wrote to memory of 4808	4928	dnrepairer.exe	135
PID 4928 wrote to memory of 4808	4928	dnrepairer.exe	135
PID 4928 wrote to memory of 4808	4928	dnrepairer.exe	135
PID 4928 wrote to memory of 2692	4928	dnrepairer.exe	136
PID 4928 wrote to memory of 2692	4928	dnrepairer.exe	136
PID 4928 wrote to memory of 2692	4928	dnrepairer.exe	136
PID 4928 wrote to memory of 1876	4928	dnrepairer.exe	138
PID 4928 wrote to memory of 1876	4928	dnrepairer.exe	138
PID 4928 wrote to memory of 1876	4928	dnrepairer.exe	138
PID 4928 wrote to memory of 220	4928	dnrepairer.exe	140
PID 4928 wrote to memory of 220	4928	dnrepairer.exe	140
PID 4928 wrote to memory of 220	4928	dnrepairer.exe	140
PID 4928 wrote to memory of 656	4928	dnrepairer.exe	154
PID 4928 wrote to memory of 656	4928	dnrepairer.exe	154
PID 4928 wrote to memory of 656	4928	dnrepairer.exe	154
PID 4928 wrote to memory of 2504	4928	dnrepairer.exe	144
PID 4928 wrote to memory of 2504	4928	dnrepairer.exe	144
PID 4928 wrote to memory of 2504	4928	dnrepairer.exe	144
PID 2504 wrote to memory of 1044	2504	dism.exe	146
PID 2504 wrote to memory of 1044	2504	dism.exe	146
PID 4928 wrote to memory of 3176	4928	dnrepairer.exe	147
PID 4928 wrote to memory of 3176	4928	dnrepairer.exe	147
PID 4928 wrote to memory of 3176	4928	dnrepairer.exe	147
PID 4928 wrote to memory of 1140	4928	dnrepairer.exe	149
PID 4928 wrote to memory of 1140	4928	dnrepairer.exe	149
PID 4928 wrote to memory of 1140	4928	dnrepairer.exe	149
PID 4928 wrote to memory of 1560	4928	dnrepairer.exe	151
PID 4928 wrote to memory of 1560	4928	dnrepairer.exe	151
PID 4928 wrote to memory of 1560	4928	dnrepairer.exe	151
PID 4928 wrote to memory of 732	4928	dnrepairer.exe	153
PID 4928 wrote to memory of 732	4928	dnrepairer.exe	153
PID 4928 wrote to memory of 656	4928	dnrepairer.exe	154
PID 4928 wrote to memory of 656	4928	dnrepairer.exe	154
PID 4928 wrote to memory of 1180	4928	dnrepairer.exe	155

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3996
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1009 -language=es -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=393678
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:4532
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:1648
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:428
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:4808
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2692
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1876
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:220
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:656
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\dismhost.exe {6DD93A88-2046-4B95-8462-CEA3A803B6EB}
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1044
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3176
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1140
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1560
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:732
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:656
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1180
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:2024
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      PID:2588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
1eb5ffaa41c73d028b4108eef962fb7f

SHA1
bba9bcb8a064fdf68a79bae656f11ba039c9cc77

SHA256
421b885202b3bfe4c7e5f9281c17f836df1de98db6d14c6590eabf4d8153a6af

SHA512
148863b577f7d9fc25225e8dfd3f01d4865afb1596dd320bbd0451fae9d173fc1e15105f0e98352bffb6c36a2462e3d8292ce6db8877b0b921b304be1ba2b879

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
5115ad2e73db8f2c00f9328c97469e0a

SHA1
552a24ab6bf961d84b1211f0b9d083c24c36781e

SHA256
19b8c6fa38f2fcc728acb3a110ab4bcdb49648440957a75ecc107c84f3eb7be3

SHA512
7ea61e22a4d036a690ed6fdb6fe05464c0430cc4811930815d6d7281f99c2895e7956b90ec255f59020da82c6f7ae32a9ac780e9d4464a05d4f680119a4ec739

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
8556c04c551d35d6a80ebaef4bde9af1

SHA1
158feb0ecf4a6c5cdd93169cdac4c8f10db6f85d

SHA256
7dd496d6acdc405576d42cb50956c203f7aa69080c65e587b1629f45d0b52ee7

SHA512
b29ec3d8833e96ec672ac7378b86bbcd3a9a306d01ae7acb143f68686fc7416a22cf09f315cbfad0e38aa2e7d8595df2584e38bd6d9b1f3173f7b1b7b49da227

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
642B

MD5
82889e34ce601d6603978ca404e508d2

SHA1
1c8598add704117851e89b361134927531f04213

SHA256
b5f259db28c9de4701a95b05bcdad9b0ea733b3ec9a8eceece96628a53bd9018

SHA512
7bdf46eac1afe7a25e8ae609219d06b75e8125999533d74d15df3c652bf1cdcc23897f948593478e847a8d82cd5d5c7c130c65d992beb3cf61fe1c882ca64e42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
bcc1857730756d6ebe865afb2eb2d54b

SHA1
9dcc73010f1a8e719dc9694e1d7940650a69bb90

SHA256
faf195afc1ddfacd988dbff51df86179b25aa7987134927ea6aa1871b5342179

SHA512
c323475370c6f9bc4bcefad4f5bcbd1a2f28280fc5992eba0c1bb483823b2d3144d3a61c01020c20d6e976c59a021b26e22ca78caafcec324d014406ca0ad45e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
94e1d38197f24588dc0c7a256e4e7207

SHA1
b66fbce0a7ac9b390d060b0a48c9780cade3aa26

SHA256
b31573f7649a49a219782b6cb0932366d7dc49c12e1304456606c81d16d58dd7

SHA512
bbd0681ac307c6b706ba6321486d79b6423e65310bd7a036c6a6eed82b076ec86e23f35e1b4fc51f90d6eaa89298f661d354f36a4e1c61b055940390b26a21e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
515b4f9746229122422d2a9c886c6bee

SHA1
c1b45989ad3006b580b1d21d8e0d3c3daabc6c4e

SHA256
eccdfdc20cb018f24e3f476a6e3103838017a6057e07990173bae07e3f72b5cf

SHA512
9882df522cd3ccf99294877dc72227365cb061414202f0dfb2cfc5b4488d4fd8d583153d1e71104ef26b464db7b1807190209f026a648ae6c634a1eec3952b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
6108692d091e90feec01dadf30df3e4d

SHA1
db90547214a6db1af6d5a6db5b62f19ce601127a

SHA256
0fc353bd14b197347a963331ca18c1c31262261b5cde04a78fe6d1d70a03ff06

SHA512
86a970d31df0b3bf67402c6325145034258cc131e6f0bf866b9faaf9f416d90c93bd2c41fba0c380540e0f4c10e20d66f4537e4d66b3cbd3d711659b794b1275

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
fed6142ee224bf295784aaaf921f8749

SHA1
96e65df8d38039f8d9dbee48805da3721cc6f795

SHA256
c7b1eed2f0774f17a09ab866f83d76ecc461430ec3513d56e17e4b32f18f9f63

SHA512
0522834a0ba23a9fbbad99b4e11b8c8cce6aa33f0ba5254086097c743dcffe6b5bf1adf0b0a8885f5e4dd53c200126bd5a4287f339b6de1fce8d0b2f961b0c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
26d40bd73ef22a58aff25e64cff92afa

SHA1
e03d136c80269f07ac2ffe3676d77f2f01dad54f

SHA256
4471f50ef1294570142d55124fc97e21cbe0d90942225b2094e8c0255b04240d

SHA512
27dac4fdd615de8994c9220ad13d793d4a466ddbb007a28e861e73b03621e0a244028ab44f24cc0476edad194058dfa6784038e9257c3d6a7f302e655220a390

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\FolderProvider.dll

Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\GenericProvider.dll

Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\IBSProvider.dll

Filesize
59KB

MD5
120f0a2022f423fc9aadb630250f52c4

SHA1
826df2b752c4f1bba60a77e2b2cf908dd01d3cf7

SHA256
5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0

SHA512
23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\ImagingProvider.dll

Filesize
218KB

MD5
35e989a1df828378baa340f4e0b2dfcb

SHA1
59ecc73a0b3f55e43dace3b05ff339f24ec2c406

SHA256
874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d

SHA512
c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\IntlProvider.dll

Filesize
296KB

MD5
510e132215cef8d09be40402f355879b

SHA1
cae8659f2d3fd54eb321a8f690267ba93d56c6f1

SHA256
1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52

SHA512
2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\MsiProvider.dll

Filesize
207KB

MD5
9a760ddc9fdca758501faf7e6d9ec368

SHA1
5d395ad119ceb41b776690f9085f508eaaddb263

SHA256
7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f

SHA512
59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\OfflineSetupProvider.dll

Filesize
182KB

MD5
9cd7292cca75d278387d2bdfb940003c

SHA1
bab579889ed3ac9cb0f124842c3e495cb2ec92ac

SHA256
b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f

SHA512
ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\ProvProvider.dll

Filesize
753KB

MD5
70c34975e700a9d7e120aaecf9d8f14b

SHA1
e24d47f025c0ec0f60ec187bfc664e9347dc2c9c

SHA256
a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7

SHA512
7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
22b4a3a1ec3b6d7aa3bc61d0812dc85f

SHA1
97ae3504a29eb555632d124022d8406fc5b6f662

SHA256
c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

SHA512
9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\GenericProvider.dll.mui

Filesize
5KB

MD5
d6b02daf9583f640269b4d8b8496a5dd

SHA1
e3bc2acd8e6a73b6530bc201902ab714e34b3182

SHA256
9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0

SHA512
189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\IBSProvider.dll.mui

Filesize
2KB

MD5
d4b67a347900e29392613b5d86fe4ac2

SHA1
fb84756d11bfd638c4b49268b96d0007b26ba2fb

SHA256
4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5

SHA512
af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\ImagingProvider.dll.mui

Filesize
18KB

MD5
f2e2ba029f26341158420f3c4db9a68f

SHA1
1dee9d3dddb41460995ad8913ad701546be1e59d

SHA256
32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3

SHA512
3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\IntlProvider.dll.mui

Filesize
27KB

MD5
2eb303db5753eb7a6bb3ab773eeabdcb

SHA1
44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4

SHA256
aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f

SHA512
df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\LogProvider.dll.mui

Filesize
6KB

MD5
8933c8d708e5acf5a458824b19fd97da

SHA1
de55756ddbeebc5ad9d3ce950acba5d2fb312331

SHA256
6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6

SHA512
ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\MsiProvider.dll.mui

Filesize
15KB

MD5
c5e60ee2d8534f57fddb81ffce297763

SHA1
78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2

SHA256
1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145

SHA512
ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\OSProvider.dll.mui

Filesize
3KB

MD5
0633e0fccd477d9b22de4dd5a84abe53

SHA1
e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9

SHA256
b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706

SHA512
e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\OfflineSetupProvider.dll.mui

Filesize
2KB

MD5
015271d46ab128a854a4e9d214ab8a43

SHA1
2569deff96fb5ad6db924cee2e08a998ddc80b2a

SHA256
692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec

SHA512
6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EB2A7FF-F5F4-4B72-80FA-3D763620A192\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acxhcxvl.fk0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
a877bd5e5cd663745b745b2a1bc40f6d

SHA1
fbe73dc68bd09f004887540efdefe72cea8aac62

SHA256
a9a0e57b261a81560508f6e1c05e6b1433b4963e622808f77d17e054d947c15c

SHA512
8c882c7d9797f443200ca3ef0dcd0d9225381a794f7b194b6f7414592cfc03f4e77d4039fdf3d992788c1333b58cde6073f9e5fefa1fcd92dd932d892e65e851

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.2MB

MD5
1c92afbecd9cffb57a56623c64f3afce

SHA1
0331bcf331494b7d910bca0d392e305e060b01a2

SHA256
d9b5dc1fcdae49bf1440c3ad9f4c1117b218687c832f0e6ae9710694cb817357

SHA512
82759203e0c060379b7f85a625ca0c86d58649fa5a31f1ea08a4dc196aaed9155d26b79591a3e2cbaebe5a0b9f5e57d49554ec8d87442615bf2c81e361999eab

Download Submit
memory/860-898-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/860-908-0x000000006F5A0000-0x000000006F5EC000-memory.dmp

Filesize
304KB

Download
memory/1300-887-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/1300-888-0x0000000006B20000-0x0000000006BC3000-memory.dmp

Filesize
652KB

Download
memory/1300-859-0x0000000000D20000-0x0000000000D56000-memory.dmp

Filesize
216KB

Download
memory/1300-873-0x0000000005600000-0x0000000005954000-memory.dmp

Filesize
3.3MB

Download
memory/1300-874-0x0000000005B10000-0x0000000005B2E000-memory.dmp

Filesize
120KB

Download
memory/1300-875-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/1300-876-0x0000000006AE0000-0x0000000006B12000-memory.dmp

Filesize
200KB

Download
memory/1300-877-0x000000006F5A0000-0x000000006F5EC000-memory.dmp

Filesize
304KB

Download
memory/1300-860-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/1300-863-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/1300-889-0x0000000007480000-0x0000000007AFA000-memory.dmp

Filesize
6.5MB

Download
memory/1300-890-0x0000000006E40000-0x0000000006E5A000-memory.dmp

Filesize
104KB

Download
memory/1300-891-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

Filesize
40KB

Download
memory/1300-892-0x00000000070C0000-0x0000000007156000-memory.dmp

Filesize
600KB

Download
memory/1300-893-0x0000000007040000-0x0000000007051000-memory.dmp

Filesize
68KB

Download
memory/1300-894-0x0000000007080000-0x000000000708E000-memory.dmp

Filesize
56KB

Download
memory/1300-895-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/1300-862-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/1300-861-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

Filesize
136KB

Download