10c59dd6cef6195616ec76184885c1ed1134f9c2ca801652c81a018d040ebbe4

Analysis

max time kernel
270s
max time network
271s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-11-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ens_1552109_ld.exe
Size

2.5MB
MD5

6908b774daad336d0ab1c55f55c344c4
SHA1

04ea8a943ca41fe152a4c2ec99ede83967d546f3
SHA256

10c59dd6cef6195616ec76184885c1ed1134f9c2ca801652c81a018d040ebbe4
SHA512

aa283489d2474f7b8a5f2bb6f524aa5c3f99932b61e52737db36b8cc7b168e6040217ec69860592e473fab6df5597cc30ce79c23b17805f6cf3c854f41d41de8
SSDEEP

49152:GNfatughHaKLIKN1cueXlaYbsISTb/am5B8y6sEUhSSwoUK0:Gla4ghHaKMu2IYbsIW/amj8yF8SE

Score

8^/10

discovery execution exploit persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubDefCertInit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\FuncName = "WVTAsn1SpcPeImageDataDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLVERIFYINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
2920	icacls.exe
1952	takeown.exe
2000	icacls.exe
2252	takeown.exe
1100	icacls.exe
3580	takeown.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2252	takeown.exe
1100	icacls.exe
3580	takeown.exe
2920	icacls.exe
1952	takeown.exe
2000	icacls.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	LDPlayer9_ens_1552109_ld.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.ipify.org
98	api.ipify.org

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\x86\VBoxRT-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxTestOGL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5PrintSupport.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxHostChannel.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-process-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_CM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Install.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxC.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMMPreload.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dpinst_64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetFltNobj.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Core.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5OpenGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libssl-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5WinExtras.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxProxyStub.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qwindows.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\comregister.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Executes dropped EXE 5 IoCs

pid	Process
3636	LDPlayer.exe
3188	dnrepairer.exe
2680	dismhost.exe
3644	Ld9BoxSVC.exe
2244	driverconfig.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1980	sc.exe
640	sc.exe
1004	sc.exe
3640	sc.exe
1860	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
3188	dnrepairer.exe
3188	dnrepairer.exe
3188	dnrepairer.exe
3188	dnrepairer.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
2680	dismhost.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
3644	Ld9BoxSVC.exe
396	regsvr32.exe
396	regsvr32.exe
396	regsvr32.exe
396	regsvr32.exe
396	regsvr32.exe
396	regsvr32.exe
396	regsvr32.exe
396	regsvr32.exe
396	regsvr32.exe
396	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
3420	regsvr32.exe
1652	regsvr32.exe
1652	regsvr32.exe
1652	regsvr32.exe
1652	regsvr32.exe
1652	regsvr32.exe
1652	regsvr32.exe
1652	regsvr32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_1552109_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133753608683805765"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0126-43E0-B05D-326E74ABB356}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}\ = "IDHCPGroupCondition"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0547-448E-BC7C-94E9E173BF57}\ = "IHostUpdate"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0C65-11EA-AD23-0FF257C71A7F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\NumMethods\ = "69"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C8E9-466B-9660-45CB3E9979E4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4737-457B-99FC-BC52C851A44F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\NumMethods\ = "19"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8079-447A-A33E-47A69C7980DB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D}\NumMethods\ = "45"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C380-4510-BC7C-19314A7352F1}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods\ = "14"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8A02-45F3-A07D-A67AA72756AA}\ = "IProcess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\ = "IMousePointerShape"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E72-4F34-B8F6-682785620C57}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ = "IVBoxSVCAvailabilityChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C65-11EA-AD23-0FF257C71A7F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\ = "IUSBControllerChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ = "IGuestDnDTarget"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\ = "IToken"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-808E-11E9-B773-133D9330F849}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\ = "IExtraDataChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8384-11E9-921D-8B984E28A686}\NumMethods\ = "37"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods\ = "16"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80F6-4266-8E20-16371F68FA25}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E191-400B-840E-970F3DAD7296}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
4208	LDPlayer9_ens_1552109_ld.exe
4208	LDPlayer9_ens_1552109_ld.exe
996	chrome.exe
996	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
4208	LDPlayer9_ens_1552109_ld.exe
4208	LDPlayer9_ens_1552109_ld.exe
3636	LDPlayer.exe
3636	LDPlayer.exe
3636	LDPlayer.exe
3636	LDPlayer.exe
3636	LDPlayer.exe
3636	LDPlayer.exe
3636	LDPlayer.exe
3636	LDPlayer.exe
3188	dnrepairer.exe
3188	dnrepairer.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
2544	powershell.exe
2544	powershell.exe
2544	powershell.exe
3636	LDPlayer.exe
3636	LDPlayer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe
Token: SeShutdownPrivilege	996	chrome.exe
Token: SeCreatePagefilePrivilege	996	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe
996	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1048	996	chrome.exe	86
PID 996 wrote to memory of 1048	996	chrome.exe	86
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 4252	996	chrome.exe	87
PID 996 wrote to memory of 3164	996	chrome.exe	88
PID 996 wrote to memory of 3164	996	chrome.exe	88
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89
PID 996 wrote to memory of 696	996	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1552109_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1552109_ld.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4208
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1552109 -language=en -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=721116
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3188
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:2236
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:2092
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:3776
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2956
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2252
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1100
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3580
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4756
    - - C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\dismhost.exe {218E2129-7B7F-4491-996A-018C93C1AB62}
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2680
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:640
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1004
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3644
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:396
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3420
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1652
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4560
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3640
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2544
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2244
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe30c3cc40,0x7ffe30c3cc4c,0x7ffe30c3cc58
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3064,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5236,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5220,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5132 /prefetch:2
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4772,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3292,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3444,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5664,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5672,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:8
  2⤵
  PID:128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5820,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4272 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3416,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3228,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5940,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5536,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5352,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5960,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5584,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5500,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1140,i,18436826736639987436,12887271490425713181,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2932

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5088

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCP120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
1eb5ffaa41c73d028b4108eef962fb7f

SHA1
bba9bcb8a064fdf68a79bae656f11ba039c9cc77

SHA256
421b885202b3bfe4c7e5f9281c17f836df1de98db6d14c6590eabf4d8153a6af

SHA512
148863b577f7d9fc25225e8dfd3f01d4865afb1596dd320bbd0451fae9d173fc1e15105f0e98352bffb6c36a2462e3d8292ce6db8877b0b921b304be1ba2b879

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
03746b5d567927bdb69499ec30039d8c

SHA1
93b08624bd80ed01c370e0ba9a2ee3824edd8733

SHA256
1e3b7a0ac94de0e7209b19b709a0ddd2effbc1b98437a81b3d3dac853ef54b77

SHA512
abf608e020e732407524b780bed7b894768f9828dbbecb1a66c9b6d8cb079380646bc228dce5f1bdbef4b089b241574a22c79eee3271a623cd05e7754ad83e19

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.6MB

MD5
2c8986ce6c1c5fcba4146f642e95d862

SHA1
a913254e6a9bd1db7825f9880a992f21a6827bd7

SHA256
07285fcc8e65f164c8897ebdb63dc44801dae28782a6b2ee5f3469c64952efd6

SHA512
a5b074ad394b75f2597007ca732f5e1b877fae483122332dbcaecfea0c6c52a658df8b5844e60280766fcd38333dfac3a259c159c405a83ea6b78691405203d5

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
5115ad2e73db8f2c00f9328c97469e0a

SHA1
552a24ab6bf961d84b1211f0b9d083c24c36781e

SHA256
19b8c6fa38f2fcc728acb3a110ab4bcdb49648440957a75ecc107c84f3eb7be3

SHA512
7ea61e22a4d036a690ed6fdb6fe05464c0430cc4811930815d6d7281f99c2895e7956b90ec255f59020da82c6f7ae32a9ac780e9d4464a05d4f680119a4ec739

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
8556c04c551d35d6a80ebaef4bde9af1

SHA1
158feb0ecf4a6c5cdd93169cdac4c8f10db6f85d

SHA256
7dd496d6acdc405576d42cb50956c203f7aa69080c65e587b1629f45d0b52ee7

SHA512
b29ec3d8833e96ec672ac7378b86bbcd3a9a306d01ae7acb143f68686fc7416a22cf09f315cbfad0e38aa2e7d8595df2584e38bd6d9b1f3173f7b1b7b49da227

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
641B

MD5
b9f6b70aec98c62fd7e83d18d94628a5

SHA1
ddc04b3f48f92fd6156f74aa3fc33db6230d0026

SHA256
fef7f8a59ac9b0a7f4348e35e3f549935c2176108144d78d5748d963fe01aad4

SHA512
4cac1097fa3093032012c786d3053443818ec2a4214c2749dcb3b65412c403a8b24e26d8caf0c46cde89294a2e3ba358d87f84b8f43eb348a31c3dd3da053caa

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
5a8b4f45723514503be83d6c46d50f42

SHA1
b9d2e66f8485199f9e282073d7610c90b4a4b729

SHA256
a611f6b0fa73042a0abe7ccf53c0e2e25ffbb27ecb7d247ffc8d9fde4a0aa735

SHA512
9d6dfc728cf6134c4d814cfc10130533c58dbe6be1196290be5ed9a1da45bea95ebaeee62fa21db7e2cb3155b31739e7dd4208a0a099f996925d51e69a715821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
404B

MD5
e50bab3b4b6196d837b1adbbe59da1e1

SHA1
3a030f68abae91962ca6de056a5339efceaf317d

SHA256
b41d1d92107075e364df7c9978cd77207770b3f9a1493126d16092ad7dad185d

SHA512
9cf35d67065609a1570599574c7acf63e4bd7fd79c5c17027812475fdad230d34bd1670ac4c18e3e2ec807283ad2fca75e8c394ac3bae921db20e195b2bf7b79

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8c978707-d1d4-41f4-bd42-05870565bcdf.tmp

Filesize
231KB

MD5
40a606c0f92bbf92f7fc796d2b51af23

SHA1
cc4789ef4f1ce02fd29721cca343c40560b6482e

SHA256
f9ab44bb6be1410c8a4e0137d78ecdf6cf420b18f5e023ec44c5bdcbae056ee0

SHA512
cb3cef030438e4d0c9eb17b1c70204fbbd48a25994472b945596d29c03cb0765565c538c1bd34a7ac1e914039ce227737e0c6fb6aa3a126d01213c6e10bac12d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fb2b201cdab02f564690e3b6b059431b

SHA1
1b86c89d4af0976f10461e55d8369941f04b39cc

SHA256
b020984eb6168b80951bc8ad14cd9fe0744cbdb01626f21fb05fe70e510fe5bc

SHA512
f067a2b9aa8c637b8c68958d90b666b0a7518e864d7959cb9c2dcf90d0afa2480f9a2d915d0c8debb41e20d198abcbd20c53be1700bca5a42d03b307b15235c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7101d82921c0a2cbc39d62da46811907

SHA1
8d751c72057ed3a0d77c7a97771a35085cf65f1c

SHA256
9a5f2e6f691d35ebe529b9b2d749fa312e778f14cff975bd2b11aa2cf245c1cf

SHA512
a9fb421ccc788a76b9c5f3bd622db8975ea3b9eb17eb7013c46e4a587b5be4f33ef6a59316c6e9c38d1bbb15d1b65a06cb18876c35e0b96db44737634dce81e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
97ba2e8aeb85a00227ab18f7f26ee95a

SHA1
79308771562b40aedd98bef2893702a4916a9926

SHA256
669bef884f2c404e636fd81be835ed8eb34977f6215f39d2fd3c1dc26f79c8cd

SHA512
ee34e25af56f502c275b7a30f9467f2d80a5099644cbca0ca835f789b490641ac4a98bc132b78dca462c968e4ff4c468a88ea6c62458f92dc24f797f58e4e882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
8a197fb0294240b088094da62bf435da

SHA1
227b35c79068b5b25dbfa87d344601b94321156d

SHA256
e10f710167054e1e07b65f12c4db8dca3388272f448c0554ce5c0d25c9c5606d

SHA512
167d3da0b90070560b76ab802a75c76e425e21f54901fa7066bd900a7c09a0b711b396b2833fe401e69e09fb7a91cf7090b78421732d19e17d6a7ede06f77746

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7495d63d6506fce2b5350ec6a65b6592

SHA1
f04f8eccba43c1c93e1bb72c8d96653a9f410cdd

SHA256
007edba35c6b9c2b0f49545c7d65e011c35a737b5cd79fb3e90caad460d245e4

SHA512
b95a10575804803d759275d84c7af0284cdea8970450370774f227e1f1d1534aa6a2497ae6834f3dcbce12942d319af5d42e42a4de87bba51a1bb5b50c009d0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6e57bf6ca2688044e69533f1f4fded21

SHA1
ce1ad55b1fa9cadc2271e1e3e93e9912654b0812

SHA256
72d5460aa35cc44c6d5ecadba9b6695d0311efe11bb5233b1a15e96307093730

SHA512
2bfc2f43469bcc67df74658afd8c90f9c99399f0eccecae5a0171c48cea6abe563474419ca5eb8d89805d3dd32e03c1457ab88e5c39d2b6308eb375c89f073ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
83cb814b119eeebd595fbc436f0e21c9

SHA1
fa8d53b31a146b4f2a3ab1aa8e26f112117039ae

SHA256
73bc43b1a0561e189efc7c37ecdff367859c744ed4d660dbdd6dc8440d588841

SHA512
64564d9e999bdca5bfa7752bf7d41c7afe2c318bf649243b96cbf4030ddd56426d48635ccccc2dfd067c68fdeba5bfe1cee7cf190ea4d4e65a907912b06df236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
62c7c078370eef6fb881c3aa5c278f89

SHA1
843775ba34aa30f7e2edd56b95c15ce869c05867

SHA256
c951122bc08464f1c2a5d6b1021fce830d6b6d344b020a7802caf61a39303971

SHA512
379c07d5cef63b4a85534b21657885eca172627b23b883660a9a508098ff3a8874345708b59a463685dbc7c8b20db4f66bec5466b5742a6997ded5136e7c15d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2ad57e6c33e9dc3589a28e69d84d4041

SHA1
513e4d01815a751494597d57ea71727192d7910a

SHA256
79e04b74e21665e1a21f4eb1cf9c791eec612168b8f108611172de3715281d2a

SHA512
c642624fad689591a14c38a447fc7dd57060b107a8a992bf43e36bf2aa7d633e258ae00aa4baa1980aecd01d1f9576330873e294f581632bba4d0bb206692648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
925cf22d59cb5eda8fa8247ff51ff9e4

SHA1
3eb6e52d6f924115b2cb0c427e9e0bcb84ed58f6

SHA256
ef8ccefd0a3aba00c2b859b56b9cd3e1abf285b8819ec55fae234c83060c1c0d

SHA512
47e107810053d4946666dc77ed8bb784bd22fdecdec613c0943a1947a190f8d6043c68faa5be5622c7aa6cb7ba847c8e6d5346a20e060f05564b058af5c480ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bfa25b3d31cc1dd152901c54de966f4a

SHA1
4fc9fdef2477a59975af70723ccccac7cf5e39b3

SHA256
98fe1f4a3ee3c448e73d42a9140d8b7e43dd5ffdba552352874051ea37c148a1

SHA512
97bd69cf7c0f1b00088c1fd5f0178f776f54cf422ee38e63c69032b7532abc6a331750050b502b3f4570a4a16bf61c6b6b0f9458ca582713e3e6b617418332c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
36b08aee783bcd5d7a6186e2109a86e3

SHA1
b690b02b8d76594a2974c433487a757bb1713057

SHA256
c4b5e0e6f7c331056a2912dbc1e651104c995539b584a9c532b2a9ac7791678d

SHA512
28e53ff8949542d70a7f2bdaea8adbb3a6ef53d46db5adbaec2cb18a2150107bf2f9836764d3fb1a8dcc1931263203d42a127116d93d375271a8a86d01ab8355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
83f1b61e28b92f645c86058bd9d39f40

SHA1
1ec41763b11635ef351e5756241fac5ddceef0aa

SHA256
885f6ac6194054ac9419c85b33d2d691b43e05227da8fdd2a1b777c551007097

SHA512
515f4de2bd562ee2e26e567abd884d46184e7fff1f8fba7233f21fdbfa8116cf5fe6f6b0df3322e39d4aa27f942abbd504f02a6c861f88c70fde7267b1f9ab9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e1e2466c34d6f5ac11ffb6a348b68ca9

SHA1
81e8c81c59ac4443935308997f53500095e46ec2

SHA256
c2f8a4e5b1a155e00dd7a8e072e0f1ce8a50cd9529652adfbf5d700ccce886e7

SHA512
3e0493884f063a056b8932f4f5463a954355a7a7a41676f74065a9c4ff87b5aee88c071563faa5ed5a09bc1fff1b011e48eb2b8439063c60bff62aeeb6b59037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b9090828ad5757636b40ba445b385020

SHA1
44e9439c177885a15d44ea3d720e1148a031af84

SHA256
dbf9be31c58c1da60afd8e033fdbb8e3b61f01e1e1ffd494a710a546e2d025c9

SHA512
7af7efea2a701feb4c41881d773ee4e52efee19f91679d8ec64533b4f45db673078bbaae2a444946670e1fb548a01a175b5fb47728d4a8ac662fc06ec703c2d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b10bfd6888c3ecbe9f577f1b3aff9c1e

SHA1
1eb9d124deaa2412ad30977cb36226e6e13c307e

SHA256
751e0aa4547968a6915b78d16562d2ac167be4d529b0be9de6fbdfb95b4d0f31

SHA512
caf070d7b9a27a86662261b3d03eb5d768882469fb0c3267668686da9cb7ef8fd767f6487839658e5196d51c361579f98c9fa83418efdd5aae694743c99f9d5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
54788c6710ce215257f6fa76598b6a88

SHA1
bd27c4ed28bb0889bb00504d781585c45ef83aef

SHA256
a0492297d10f4355679805e291069df29ce08b3e28f255a58e41f5d344403542

SHA512
5a850727d3c715903a77e793bb53704535a995b4a4e3a7764689fbacb2222f1726eb7c2f1bc34dfdd584f441d4bf39c31636c517cf6146ca7bf53dd3012355d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e35e21a79e2be8b0efa368c15df2f660

SHA1
6bface72ea9688b3429249a8b8a3c56d186e7e95

SHA256
1ef60a664d24499b64ced921e84260c6136c70fe692a4272460e773a5a1a345f

SHA512
ec8dbe0c837cf5ad1e3cd9fca393a538a6e41b27733142095b8187f5e94e184df37f9173c5bd11ad12e297da39ae54865eb096764fa086f99adc6e6595a788c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2395d45514346f6a6b6d8818ee4a3f82

SHA1
ef8a58b9e03035bfec0e4124f010c6c1c1ee4939

SHA256
85b2fc90713b2be47dcc51646ab52e4d5ec87feb12372291a8cc4828ca82f755

SHA512
3ac6366671efdfd0a20e03754be4ae72faf0da67c00f6ec606e8c8df8a37c5bfd2989a2ef3b30312611f1b7629151f1bf2654ed132b4cc862502cc41eff6bb91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0e43c21426068c3ae3dda20bf263858e

SHA1
20b0a4a6cae42dfecd1beb935638060c732a8ab9

SHA256
6eebdd9d7e7c32905420924b8bd9b0865beb6b18d3955b2abac2b812dc278229

SHA512
87d0792f61e2ddec056e97521c5e3b54e29dfdf301bea8ceb399a739619b39cab16fade6a874e2664502ad5bb9b413ed399023ac9002434416a3da7274f0aecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8baf6befede52c8d5204c7ec5c0272a4

SHA1
ba7b48f4224a69bed0cab045fc96a7a2514d0531

SHA256
4aec4abc2790c8ff849bb46e9f7379dc9a9923d23b45f280d15e43858dbedd8f

SHA512
170e3cb3f75bf91a5eb00604bb239197c60a4d9858fbe8e7be04097825a6cc0da5399386590b3c4c1f781343a5b09be5fd8801784af41992f9f096bd31a3c413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2c6bfe24787678449251b625777f69f1

SHA1
5640a2d44547e33e9fcc328ae399691d50666d0a

SHA256
21a18533814b5afc1103672050298a0ab4ab515e6ef555ef8be24e536f3e5eca

SHA512
50aefcf523b5ca0a5a66775c80a695b6516dacd1d2008157588e8f7e27b1e6e478edbe57cb400c0ad3c050ba35e8d7f7182944b1e6e5d0a752a95a1b2041c1f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0ffdcad706e3a12460a6fe74cc537b0a

SHA1
a91af4b37bf14d043fbc8d4ff0c5b48661cfeded

SHA256
5befb8f2e8544cac19caf631ca680da0b6ca2827ad7de90f8a8b2d20b0be7c19

SHA512
6fcbde408bf62c5081eafff284abbfbb238a18aa41138ded0153bd07613d640953edf8e3453828808c8796d19b9693642a8eda81499d0d6a55cf286ea2b59e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
93bfbc7a889eb711af7c56bb2e9114a4

SHA1
2cb8196f8e359b6edadb8043cd2a206b46bcc4e6

SHA256
26bbd2194ca0fde1e0d4d36933d088f06ffebd64e5ee390237bfa20147a9f3d7

SHA512
a2ad9e3bf8f2b1be8a2d12c0ec4703fcfed1184ec35a6c8a7ed391bcdc5a4a90140877de8cba3be2b90af7e84ffded5320ec087c59d724955751c8f4ac4c84a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
74B

MD5
645a226475c55a5d7c06800c43d21893

SHA1
f04b2ac9ddcf1f07b7c909289425c5d0978a53ad

SHA256
6e567f47764a214b8f0ad800564e7183a8a14a3b3bca4002bdb9be18a71dfc30

SHA512
cde948b24a612fa240de43716b5fb3bb962ca6d68cae422f18c0b79bed1587d442819219c74dc036942be56b0e39d668c3a7a1487fd93918647feb4f58532ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe58535b.TMP

Filesize
138B

MD5
dddad35f940ca66ee3bbf57aa32aa973

SHA1
7411941af16e909f990fe39da56800810610cb08

SHA256
9a6c0afdf6db6537de06f3f40842226fd32a2cae8aa8e5909c2471ceb8225253

SHA512
8262f2bbe47bbaf77f8979a22f5214005a2012fe022b1322b7b44e7f4807d932b3aed380759216eea34ca8597843e91e6b19dde7f8394f56b913126a5a6839c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
6cf9bbb86836210f126712a519473fc3

SHA1
85877888d0fa91c6d410f336c5178f681c69c953

SHA256
6b034e0368cfeed1a8344099835b8c468462d127756dd9d2521922dc170cc322

SHA512
a1110b733d8c2bed059f54685b2d4d84c4b5ac067f5307688f486094171283224e6ed04f1b28797134e8c300226fbb184e25b2541cbf1f05d9075c3e5d9e6bba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
97e98bf28c04e2f0470293f340d9e023

SHA1
63bed7ee15bf0fc72a80126182476a7f4c7c9e49

SHA256
9bfae34000947db2513e2b6cd8a8657b8e0b7dcf6e3fdb45383e531a046894e3

SHA512
2dd7cb9dbbcfbb96e9649dc1f8c95e5bd30c477cf075f0edf914a441aa78d79f4722a95f9c532f10598bd133506194f8222b58584dba11d4d91870d2eca0f222

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\beeaba59-d855-4e2f-a6d1-d421974083ea.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\DismProv.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\ImagingProvider.dll

Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\759F7317-ABB3-4CE9-BAFE-ECC5DD735177\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvej2qj4.a5t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir996_1679899874\859e2826-fa01-4154-84fe-ec9f86882f8a.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir996_1679899874\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
263KB

MD5
26837e7427d60d5234eb36910578dc79

SHA1
3a79179891e95aad816775718ea3a661dced564c

SHA256
4282ed431a04021d1d26086a52e8a6a68d7bfaf2027282599f4c7bfcd0a3507a

SHA512
71e1dc6b19239995ca59fb0e2af12b0473717d44a0ceb793d3d3f9472db6e4719d97d9a49eea1788b04686486dd9dd2967a9f45cef5659e61f809096c24d814c

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
266KB

MD5
97d64fa65ff7944c59dafe0148f223fd

SHA1
579470cad31839d10b6e5d49da82cb2ec4f3669e

SHA256
ab5efb662f29be941369bbd523c263ce7ff36985dc87f64c08f6260b8ef34d66

SHA512
c8c2d0f2275ab8f4165fbb2141fb313cea2122bf541909e5fe663a3117886e88aafb80e0ea30e8f64e218ca18c74e62dacc24249a97194ba068f327fbeeba6e8

Download Submit
memory/1008-1880-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/1008-1876-0x00000000057D0000-0x0000000005B27000-memory.dmp

Filesize
3.3MB

Download
memory/2544-1899-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/2544-1890-0x00000000058D0000-0x0000000005C27000-memory.dmp

Filesize
3.3MB

Download
memory/3796-1826-0x0000000005050000-0x000000000567A000-memory.dmp

Filesize
6.2MB

Download
memory/3796-1856-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/3796-1829-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/3796-1859-0x0000000007500000-0x000000000751A000-memory.dmp

Filesize
104KB

Download
memory/3796-1857-0x00000000073E0000-0x00000000073F1000-memory.dmp

Filesize
68KB

Download
memory/3796-1828-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/3796-1827-0x0000000004FF0000-0x0000000005012000-memory.dmp

Filesize
136KB

Download
memory/3796-1858-0x0000000007420000-0x000000000742E000-memory.dmp

Filesize
56KB

Download
memory/3796-1825-0x00000000049E0000-0x0000000004A16000-memory.dmp

Filesize
216KB

Download
memory/3796-1838-0x00000000059D0000-0x0000000005D27000-memory.dmp

Filesize
3.3MB

Download
memory/3796-1855-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/3796-1854-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/3796-1853-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/3796-1852-0x0000000007090000-0x0000000007134000-memory.dmp

Filesize
656KB

Download
memory/3796-1851-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/3796-1842-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/3796-1841-0x0000000006E50000-0x0000000006E84000-memory.dmp

Filesize
208KB

Download
memory/3796-1840-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

Filesize
304KB

Download
memory/3796-1839-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download