9bb59ea13d91b11739e9eb8e39ab243d80935310838b0f60b450ac2a906aabee

Analysis

max time kernel
390s
max time network
391s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
Size

2.5MB
MD5

4b3458b9c6aaa39ef37fc290459b6908
SHA1

ba8b683eca181784d049efd008f50aacf5cf4079
SHA256

9bb59ea13d91b11739e9eb8e39ab243d80935310838b0f60b450ac2a906aabee
SHA512

0f3977bb0b137ad65465a38be1d97acbd50e1f57078c7bed957fd0c210d1bd5f4895b9afac8af4c202a3f905f021cc7042210fe030ff5de6e6cb7c4f90591dec
SSDEEP

49152:1gwNggyPXuB7fEtKubsISTb/am5B8y6sEUhSSwhUPMum:1gwNggyPX48zbsIW/amj8yF8Sg

Score

8^/10

discovery execution exploit persistence phishing privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLVERIFYINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustInit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
4624	takeown.exe
2872	icacls.exe
2872	takeown.exe
2008	icacls.exe
4764	takeown.exe
3688	icacls.exe

A potential corporate email address has been identified in the URL: currency-file@1
phishing

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4764	takeown.exe
3688	icacls.exe
4624	takeown.exe
2872	icacls.exe
2872	takeown.exe
2008	icacls.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
51	discord.com
50	discord.com

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vbox-img.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VirtualBoxVM.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\load.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMMPreload.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qwindows.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libssl-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDDU.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\capi.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRT.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetFltNobj.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetDHCP.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\host_manager.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Install.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Executes dropped EXE 15 IoCs

pid	Process
3488	LDPlayer.exe
1740	dnrepairer.exe
2480	dismhost.exe
3584	Ld9BoxSVC.exe
2272	driverconfig.exe
3480	dnplayer.exe
2860	Ld9BoxSVC.exe
344	vbox-img.exe
3404	vbox-img.exe
4868	vbox-img.exe
2024	Ld9BoxHeadless.exe
4800	Ld9BoxHeadless.exe
1116	Ld9BoxHeadless.exe
1464	Ld9BoxHeadless.exe
2812	Ld9BoxHeadless.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4556	sc.exe
1828	sc.exe
4024	sc.exe
4032	sc.exe
1176	sc.exe
2436	sc.exe
4192	sc.exe
4916	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
1740	dnrepairer.exe
1740	dnrepairer.exe
1740	dnrepairer.exe
1740	dnrepairer.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
2480	dismhost.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
3584	Ld9BoxSVC.exe
1072	regsvr32.exe
1072	regsvr32.exe
1072	regsvr32.exe
1072	regsvr32.exe
1072	regsvr32.exe
1072	regsvr32.exe
1072	regsvr32.exe
1072	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
1552	regsvr32.exe
3832	regsvr32.exe
3832	regsvr32.exe
3832	regsvr32.exe
3832	regsvr32.exe
3832	regsvr32.exe
3832	regsvr32.exe
3832	regsvr32.exe
3832	regsvr32.exe
3912	regsvr32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-bf98-47fb-ab2f-b5177533f493}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\ = "ISnapshotDeletedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\ = "Session Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\NumMethods\ = "115"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0979-486C-BAA1-3ABB144DC82D}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9849-4F47-813E-24A75DC85615}\ = "IParallelPortChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-800A-40F8-87A6-170D02249A55}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0126-43E0-B05D-326E74ABB356}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E64A-4908-804E-371CAD23A756}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\ProgId	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1207-4179-94CF-CA250036308F}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ldmnq.apk\DefaultIcon\ = "C:\\LDPlayer\\LDPlayer9\\apk_icon.ico"	LDPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-e4b1-486a-8f2e-747ae346c3e9}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-787b-44ab-b343-a082a3f2dfb1}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0D96-40ED-AE46-A564D484325E}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7708-444B-9EEF-C116CE423D39}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\ = "VirtualBox Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\NumMethods\ = "12"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\NumMethods\ = "14"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8690-11E9-B83D-5719E53CF1DE}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6FA-430E-6020-6A505D086387}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
3488	LDPlayer.exe
3488	LDPlayer.exe
3488	LDPlayer.exe
3488	LDPlayer.exe
3488	LDPlayer.exe
3488	LDPlayer.exe
3488	LDPlayer.exe
3488	LDPlayer.exe
1740	dnrepairer.exe
1740	dnrepairer.exe
3360	powershell.exe
3360	powershell.exe
3484	powershell.exe
3484	powershell.exe
1728	powershell.exe
1728	powershell.exe
3488	LDPlayer.exe
3488	LDPlayer.exe
3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
976	msedge.exe
976	msedge.exe
3856	msedge.exe
3856	msedge.exe
2272	msedge.exe
2272	msedge.exe
1380	msedge.exe
1380	msedge.exe
5016	identity_helper.exe
5016	identity_helper.exe
6072	msedge.exe
6072	msedge.exe
6072	msedge.exe
6072	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3480	dnplayer.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found
684	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe
Token: SeDebugPrivilege	3488	LDPlayer.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3480	dnplayer.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
3480	dnplayer.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 3488	3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe	80
PID 3936 wrote to memory of 3488	3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe	80
PID 3936 wrote to memory of 3488	3936	LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe	80
PID 3488 wrote to memory of 1740	3488	LDPlayer.exe	81
PID 3488 wrote to memory of 1740	3488	LDPlayer.exe	81
PID 3488 wrote to memory of 1740	3488	LDPlayer.exe	81
PID 1740 wrote to memory of 3864	1740	dnrepairer.exe	82
PID 1740 wrote to memory of 3864	1740	dnrepairer.exe	82
PID 1740 wrote to memory of 3864	1740	dnrepairer.exe	82
PID 3864 wrote to memory of 1780	3864	net.exe	84
PID 3864 wrote to memory of 1780	3864	net.exe	84
PID 3864 wrote to memory of 1780	3864	net.exe	84
PID 1740 wrote to memory of 3720	1740	dnrepairer.exe	85
PID 1740 wrote to memory of 3720	1740	dnrepairer.exe	85
PID 1740 wrote to memory of 3720	1740	dnrepairer.exe	85
PID 1740 wrote to memory of 4568	1740	dnrepairer.exe	86
PID 1740 wrote to memory of 4568	1740	dnrepairer.exe	86
PID 1740 wrote to memory of 4568	1740	dnrepairer.exe	86
PID 1740 wrote to memory of 2200	1740	dnrepairer.exe	87
PID 1740 wrote to memory of 2200	1740	dnrepairer.exe	87
PID 1740 wrote to memory of 2200	1740	dnrepairer.exe	87
PID 1740 wrote to memory of 1936	1740	dnrepairer.exe	88
PID 1740 wrote to memory of 1936	1740	dnrepairer.exe	88
PID 1740 wrote to memory of 1936	1740	dnrepairer.exe	88
PID 1740 wrote to memory of 2472	1740	dnrepairer.exe	89
PID 1740 wrote to memory of 2472	1740	dnrepairer.exe	89
PID 1740 wrote to memory of 2472	1740	dnrepairer.exe	89
PID 1740 wrote to memory of 772	1740	dnrepairer.exe	90
PID 1740 wrote to memory of 772	1740	dnrepairer.exe	90
PID 1740 wrote to memory of 772	1740	dnrepairer.exe	90
PID 1740 wrote to memory of 1888	1740	dnrepairer.exe	91
PID 1740 wrote to memory of 1888	1740	dnrepairer.exe	91
PID 1740 wrote to memory of 1888	1740	dnrepairer.exe	91
PID 1740 wrote to memory of 4764	1740	dnrepairer.exe	92
PID 1740 wrote to memory of 4764	1740	dnrepairer.exe	92
PID 1740 wrote to memory of 4764	1740	dnrepairer.exe	92
PID 1740 wrote to memory of 3688	1740	dnrepairer.exe	94
PID 1740 wrote to memory of 3688	1740	dnrepairer.exe	94
PID 1740 wrote to memory of 3688	1740	dnrepairer.exe	94
PID 1740 wrote to memory of 4624	1740	dnrepairer.exe	96
PID 1740 wrote to memory of 4624	1740	dnrepairer.exe	96
PID 1740 wrote to memory of 4624	1740	dnrepairer.exe	96
PID 1740 wrote to memory of 2872	1740	dnrepairer.exe	98
PID 1740 wrote to memory of 2872	1740	dnrepairer.exe	98
PID 1740 wrote to memory of 2872	1740	dnrepairer.exe	98
PID 1740 wrote to memory of 1120	1740	dnrepairer.exe	100
PID 1740 wrote to memory of 1120	1740	dnrepairer.exe	100
PID 1740 wrote to memory of 1120	1740	dnrepairer.exe	100
PID 1120 wrote to memory of 2480	1120	dism.exe	102
PID 1120 wrote to memory of 2480	1120	dism.exe	102
PID 1740 wrote to memory of 4916	1740	dnrepairer.exe	103
PID 1740 wrote to memory of 4916	1740	dnrepairer.exe	103
PID 1740 wrote to memory of 4916	1740	dnrepairer.exe	103
PID 1740 wrote to memory of 4556	1740	dnrepairer.exe	105
PID 1740 wrote to memory of 4556	1740	dnrepairer.exe	105
PID 1740 wrote to memory of 4556	1740	dnrepairer.exe	105
PID 1740 wrote to memory of 1828	1740	dnrepairer.exe	107
PID 1740 wrote to memory of 1828	1740	dnrepairer.exe	107
PID 1740 wrote to memory of 1828	1740	dnrepairer.exe	107
PID 1740 wrote to memory of 3584	1740	dnrepairer.exe	109
PID 1740 wrote to memory of 3584	1740	dnrepairer.exe	109
PID 1740 wrote to memory of 1072	1740	dnrepairer.exe	110
PID 1740 wrote to memory of 1072	1740	dnrepairer.exe	110
PID 1740 wrote to memory of 1552	1740	dnrepairer.exe	111

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_2281_Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB_ld.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=2281 -language=es -path="C:\LDPlayer\LDPlayer9\" -googleid=Cj0KCQiA0fu5BhDQARIsAMXUBOIYknRc4IXyvDZcXG-fd1Q6nyZ9qbgnSF4WPCaDzapo0HrB2d9oEdQaAhLcEALw_wcB
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=131450
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:3720
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:4568
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1936
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2472
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:772
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:1888
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4764
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3688
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4624
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2872
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\dismhost.exe {29158BE4-0F98-4260-AD61-6C0A3DBAF3E3}
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2480
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4916
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4556
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1828
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3584
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:1072
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1552
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:3832
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3912
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4024
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3360
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1728
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/ykt8hgSabz
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff9f8e3cb8,0x7fff9f8e3cc8,0x7fff9f8e3cd8
    3⤵
    PID:2328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2
    3⤵
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
    3⤵
    PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
    3⤵
    PID:2996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4636 /prefetch:8
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4644 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
    3⤵
    PID:788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
    3⤵
    PID:1172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
    3⤵
    PID:3200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
    3⤵
    PID:2612
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
    3⤵
    PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
    3⤵
    PID:1252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
    3⤵
    PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
    3⤵
    PID:2192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
    3⤵
    PID:8
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
    3⤵
    PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
    3⤵
    PID:1020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
    3⤵
    PID:1392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
    3⤵
    PID:4800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3504 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
    3⤵
    PID:5156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
    3⤵
    PID:2544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
    3⤵
    PID:3184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3696 /prefetch:8
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
    3⤵
    PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12204439055900107597,11741127234283039827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
    3⤵
    PID:5680
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\\dnplayer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3480
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1176
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4192
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    - Executes dropped EXE
    PID:344
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:3404
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:4868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.ldplayer.net/blog/how-to-update-the-graphics-driver.html
    3⤵
    PID:960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff9f8e3cb8,0x7fff9f8e3cc8,0x7fff9f8e3cd8
      4⤵
      PID:240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://es.ldplayer.net/blog/94.html
    3⤵
    PID:2072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9f8e3cb8,0x7fff9f8e3cc8,0x7fff9f8e3cd8
      4⤵
      PID:4012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004DC
1⤵
PID:4088

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2860
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
1eb5ffaa41c73d028b4108eef962fb7f

SHA1
bba9bcb8a064fdf68a79bae656f11ba039c9cc77

SHA256
421b885202b3bfe4c7e5f9281c17f836df1de98db6d14c6590eabf4d8153a6af

SHA512
148863b577f7d9fc25225e8dfd3f01d4865afb1596dd320bbd0451fae9d173fc1e15105f0e98352bffb6c36a2462e3d8292ce6db8877b0b921b304be1ba2b879

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
03746b5d567927bdb69499ec30039d8c

SHA1
93b08624bd80ed01c370e0ba9a2ee3824edd8733

SHA256
1e3b7a0ac94de0e7209b19b709a0ddd2effbc1b98437a81b3d3dac853ef54b77

SHA512
abf608e020e732407524b780bed7b894768f9828dbbecb1a66c9b6d8cb079380646bc228dce5f1bdbef4b089b241574a22c79eee3271a623cd05e7754ad83e19

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.6MB

MD5
2c8986ce6c1c5fcba4146f642e95d862

SHA1
a913254e6a9bd1db7825f9880a992f21a6827bd7

SHA256
07285fcc8e65f164c8897ebdb63dc44801dae28782a6b2ee5f3469c64952efd6

SHA512
a5b074ad394b75f2597007ca732f5e1b877fae483122332dbcaecfea0c6c52a658df8b5844e60280766fcd38333dfac3a259c159c405a83ea6b78691405203d5

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
5115ad2e73db8f2c00f9328c97469e0a

SHA1
552a24ab6bf961d84b1211f0b9d083c24c36781e

SHA256
19b8c6fa38f2fcc728acb3a110ab4bcdb49648440957a75ecc107c84f3eb7be3

SHA512
7ea61e22a4d036a690ed6fdb6fe05464c0430cc4811930815d6d7281f99c2895e7956b90ec255f59020da82c6f7ae32a9ac780e9d4464a05d4f680119a4ec739

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
8556c04c551d35d6a80ebaef4bde9af1

SHA1
158feb0ecf4a6c5cdd93169cdac4c8f10db6f85d

SHA256
7dd496d6acdc405576d42cb50956c203f7aa69080c65e587b1629f45d0b52ee7

SHA512
b29ec3d8833e96ec672ac7378b86bbcd3a9a306d01ae7acb143f68686fc7416a22cf09f315cbfad0e38aa2e7d8595df2584e38bd6d9b1f3173f7b1b7b49da227

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
636B

MD5
852c498786f773566e24e7351dcc2f74

SHA1
49c7a79ec6f3aa061fb432cc4831464ffc2500e9

SHA256
6e21c34f90000a9aacbdc506a1f487d2647aa4409e1b3166849dafdba85ddfc1

SHA512
7f080a7efcbae5cfc47345cd6d4d5318a2c0a0059c4c3153ed4b5b66d882a9af445432a7f3ac2f5d3d658ac3e1aa344666c74be062021d8552e6103cb7bb5d7d

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
effb6f67ff0eb9ab9837b1e32e341e70

SHA1
76e20864f0d59fffe9ac282dcfc35ade3705225a

SHA256
0bb54dfcb708388b1fee65333f44e90e74080f75929f9adb0981121b86f596bd

SHA512
72eb151d511388e391d3553f3439ab23a6f199438afc419f59ad609f93db1bf0f75a118079aa977a255018545bb610dd83abe72c5add6aec96085974aaf9cc58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83D863F495E7D991917B3ABB3E1EB382_4842B4543C789FC992419E09C95EDADE

Filesize
471B

MD5
189ffe5c73ecc7cb1184344586d969d9

SHA1
5058a3a6bd854615db7bd8327058e993a507f920

SHA256
87c2a216a972e2c931389dc7cf387fb6b8847068862042807e9e6a37bed20f5e

SHA512
055602237eb7f723a841fe0aa47e8f9f40876ade7e4e11a662f58910b97a112cb7c89ba8e9d00a972b39520d50a88a464b1e42a1ebd2539dd141ed6dc9702ea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
23c1721c33d7f76bafdfe4a1ff10461f

SHA1
671e9db0a0525c6159f7ce1f97143abe83b2490a

SHA256
cf047d5452b62dca8189b0e1fffe4cd26bc2b0e70d62a071c0d1574a8a314059

SHA512
98650712199f75f8cf9f993b77878405b6813ed7f012b2c900fa170584aa00f115f81abb01634a816b9afc59a8c2c5b6a3ac6a25781d8fd99a97c0c043e989a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
0664114ed2fa77e003546e2ebd35560e

SHA1
51c63003e1697721ff3a8b53dc51d94e8404de64

SHA256
7f803953cadc7bb9036aac442e97f76735c0a0f6c696b75f539faa8ff4d9120c

SHA512
505c3191045db81a7cacf5c5d542cb4b051d4c13d43358169884fa4eaf7f5f336b7892ba62b09479ca67a495f0f4332ae9148b7bff1e1b591e6ed3d800a1e693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
b5afcc970acf3fadfa641690e433e0bf

SHA1
a5e4e98f6ed8b665db9e08d44717527b21155cf8

SHA256
0201e2df5fcfde7cb47dfa092ad6c8e367e867dd1fc4494da18798e7b07f8b1b

SHA512
231b5aa47c21c979757cac21921263727eb10919a60a5a58f3a896963934736bcef56da64cdd7e8a4af4b1bdf3ce748237d57078c426b7ed262307aa6a9d9588

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83D863F495E7D991917B3ABB3E1EB382_4842B4543C789FC992419E09C95EDADE

Filesize
422B

MD5
058bcbc9d27ca7d76cddcb6bcbea6804

SHA1
c5965a12c0f3e2711b5aba63fcb0c40a4cbc29c2

SHA256
442f50977c6b948677088094ef5d218eead867311560ca7dbaab36823a737137

SHA512
f2f030b58aceb6a4f09d66e346b07ed495e7786b18d4f8cb3f72762e01cdc2bbd8797645d1adbf01c517ca0dde65b0ac0f9263031687e8ad264d0deacbf75018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
b7a8335f525a00318c47b9e6967d03b0

SHA1
469c5ed060c1a593beb4e844ac926bbeccbf4506

SHA256
e93632f47fd3689540f0aa9a64093fac921c16f2b5a5940fb1df5bccbd5c99f1

SHA512
aa8d4c01d4ce4c9b5aac3848bd218ec8c2f8808d34b0eb9e1df33505d534112995ba0fc396f5643f1eaa365af8571f9bcc69644a6bdb9e4820627bc393af0d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
a4ba26a3d6332768574761c75a9ebd5d

SHA1
d02374bbede8f2849e5a2ebd4df59b7e2d26fe4a

SHA256
a921a7d82949d1f90f026a83abd30c52a34dcf7fe3e5b694acd20bf4ac148f8c

SHA512
e17bcc27688722064fc38c978a97326d1548422ed3765b46e70c32620473c4f62c66712099267897d70b04c40c1387a1d74a5c2a3430787a8cb31bf9394ff9f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
25KB

MD5
777a63c7bb73394365962e8e0fd2dc01

SHA1
2ca4ef52bd745378018eb30180ffa208a76b5c04

SHA256
10a7f1cc102eed344c455765969891f8c4ef071626036419fba5f17fa42810df

SHA512
986adc9a20bad40f8cace5dd9af3c3ac58e2fddfb30363ef61ef51d2493e603e28241da0144833eb62cae3c2d3fd2a38ba0a4822f01eb890cf58c7d7febdb8fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
80KB

MD5
7fdad331627b106b4f1aabb59741efad

SHA1
1860534a45ddfa89a157450f571f507ccb2fea8d

SHA256
10be400408467f9c2f2fd276b70bd043ebb170e62bf0a821a37d235641e43ac1

SHA512
7504120fdf5e65291120cbdd3b4442578eb7e8384cc71b0b28c05c1e115cdb2e971477ee769324d0daa59cca7ff36602a9848be1f2a8723e905d8d45fd993ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
84KB

MD5
af17d06d324a90180118fc69fd72e904

SHA1
943c3ce1289d91e2bad60d2db3eb9ece5f9f3448

SHA256
544cc874013cda33d43943328ec4c8b8d5bbd7ce78bc0b1275b1aa4b0400050a

SHA512
83887069197fef9bdec47a6252252ea9b6923fd000f89cf47947381d0face3a29e611670239fc3e8529bf03ef17e77aaf26e5f6abaa0a2b4be145ddc1e5f6d9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
28KB

MD5
b8d23587abb01a892ef21319a8bd0e85

SHA1
b91ed2d886fc8073c15e155363d8cc38a58d76ad

SHA256
a52d6052b9a00507e9277a1c7dc2fec0a83ab6c69ddd5389bab34e1b54136e4d

SHA512
193b304d2f6618293c25d474d65417653f447d87afd508b66c980522bed36fa45dbc4f3cc6a21bfa432b8c7d270767277e8cc85765468c02312f002eb0370c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
16KB

MD5
89a574ff00e6b0ec61d995d059ce6e65

SHA1
aea09e96808ab77165ffa712eaa58b8f056d0bb6

SHA256
e5c29c139842fd487473d0824f2c01b374680fb35d22fa929686d17896602a44

SHA512
30d0d40bd680e61968273155b740901cdfa66670fc2af6f23e44c6b998b67cc1fcd0b51bd5f9470f209f188e75d071355e592b2a7c97f4bfd15d07d455e0909d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
16KB

MD5
cfa2ab4f9278c82c01d2320d480258fe

SHA1
ba1468b2006b74fe48be560d3e87f181e8d8ba77

SHA256
d64d90cc9fa9be071a5e067a068d8afda2819b6e9926560dd0f8c2aaabeca22e

SHA512
4016e27b20442a84ea9550501eded854f84c632eeced46b594bcd4fc388de8e6a3fbfe3c1c4dbd05f870a2379034893bfd6fd73ac39ef4a85cbf280ab8d44979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

Filesize
65KB

MD5
8a42ba5472aa4afa3d3ac12f31d47408

SHA1
2add574424ac47c1e83b0b7fae5d040c46ac38a7

SHA256
759bfec59bce5ddea7751b7f93408074a8c27cb2c387b08b6b9f4aa111266ec4

SHA512
3e1081a6e1c29f6dae28ab997c551a6d107d4f4b7e0981a19ba81a30a4e420dee1791321dca8f4b500c9e7e4a41c5e5c75013a72e5a5cde3f7e6c50393eb10b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
20KB

MD5
02d0464758450d87a078aea4e46187a1

SHA1
41154a61b8192c00a4f03e5ce97e44ecc5106e74

SHA256
c6aabc7504bbf101eb3b39fb3f831b61148f34605c48b02ba106aedccde52750

SHA512
9af139023983a975acb29147037f4fa8ca820e15b4c5f471e2cb000909970ffbfda2b210c8330cea93271bfde3732455a545730e242f1a0e59871bdec702b39a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
20KB

MD5
e92faff58b6be9dba9bc283c4f4c8513

SHA1
49588273a413dffd248cd35dd191189ed2c2343c

SHA256
8c6c6736f4650f9bf7af6fe14128a3d173816f3dee2e02c5552240c04852b691

SHA512
52ddb77b600f519eed2343d528b9c9bc03585c82edaa91c63e8850d19be23c2f645bc8faea19c3d75ccffb30e4e69a3605883106fb1783346a8883465051643e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
20KB

MD5
9653b4440ccda7914eeebaa5ffecddbf

SHA1
dd6c46dae47f71c7a402b52dd26686f417c433f7

SHA256
227b41c3fc7e5839e1c8cdf43c7b030dfc3f081f9bda92ae700f75d1443327d0

SHA512
2de4cf6720633bd68185576fda6783cdc51ffd60e24b44f4b8aa4c28f5ba7278ed9a3ebe91d78b262b113ac3d75cf2bca9425545606ed2ca15392bd213fff349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
32KB

MD5
a201007e44ff8e63e7dc819cfe1a485b

SHA1
1007e55d4195e99ff94623b3b4489541fe297e39

SHA256
678e3412231cba927faf41bfb44862512385a0eeabae0127f363764ff825eb38

SHA512
7382efad57e82efc4fc8412e7a277c24f1cdec324cac16ddc2ce09d36ad660c55e9b5b58ed1f34e0515eed7cba22ded8b1a6c43f73e765833832f9189e99edd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\64607533246cf534_0

Filesize
312KB

MD5
3528152e87cb849ee8603fbc78e1213e

SHA1
c07eb9541f7cd23f4639aa406467bfbcfc160609

SHA256
6d1349019d7b7c09e5cff150624af344dd52ce87e7e3ad8c4d2c45fa405fff3f

SHA512
5114eb9f268cc8a1abb030a8f2c4877ff5c3131cef0d9664ef16d00d05a73fefd4abe46604009c388207cb4ba04b913a45e3ad61634d06715f5e9d5cc89e5e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6c644062b95acf88_0

Filesize
275B

MD5
614a2770e6623beac8ee7a984861f35a

SHA1
a43a0a036d5503acfd85941aa9f2bea8a92b8666

SHA256
6773778b6e97b7cf48b27a29b3840d41074ba7d633a45a141a2fcb81623132f4

SHA512
7f0a85c89b0c681ea17f99e9117140b966d87b50ff2794b694c836162842ddde4ccc89f8da6bb69b8c6f18034c389641620dc01f6c4b23d7a2025654592c664b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6ec26d8af1ec00d5_0

Filesize
92KB

MD5
9461e3d077f5d310fb5edd97c4e5a539

SHA1
73b487bf5b564b205ae9e02c7103f6f1a328344a

SHA256
8b7d551b52404452d6f3d10d704837439d7f83b33c4125e28c8e4e7e789d821d

SHA512
732bd94695ee1f0663de7c62494b61fef7cd236b28b7f1a41a97532579bddfb8da9e3020ebd46dd42b873a320187d4d7559b2aa7777c9b6a1b57b5edab114325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bdff3907e497c060_0

Filesize
279B

MD5
7032622c7d282a514d426976a46a609f

SHA1
36a5792c50d7a3418031b7480f3c7297ce09566e

SHA256
98541eaf18d40ae694ac60b6201f69a74d74d14c42cddfdee35b4bc21cac73f8

SHA512
60b6228171de03e49ddcfe977796b4221a31ff6c0928bf9ffc898112b6bc9432d0fee7c91ee83ac226ccf265f2040ec5c87ac25cb0def9a84a4bdfebce1c27b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a11c4cad7d4ccc08da29bbf9fc26cf79

SHA1
f43ed2656b2ca514eff35fe92f2bdbf78b56ab56

SHA256
b200f3c336ae5dcedf37f3ea6fdff8eb987e6b9d305bd0c6a24f389c46a320d3

SHA512
e6e80dd1031b8bb469bb53dd22939dd85bd69350ab21f449931f1bdd3c10bdf9d7d0a6dc860d9a31dbaeb5405447700cb8d346f7aa219f63db6eeef641a9b405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ccafbf560c1d97eef2847f0f13e09c13

SHA1
82586489aaa68e4471ae0d4cf1deab1d03b1a82d

SHA256
e9310c49561a7739391b605fbc789eda761fbd789964b65b7857a5a529dab177

SHA512
919a75be0c6b4b6836b8037cd011c9b748fbeb26c2b003be0be6bba01d057fd7451263873e0b9c0c55ab4fde8452e969925464d8794876cf57c7e1994376404c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
00cfc32f5f2db9f46332c534e4ca4371

SHA1
112d97185ae08e375039aed05ef7f3f142ee3182

SHA256
184a4196f896eaf630c6e27f29d55cafe78d00bb4b519ef0d5108943394adc2c

SHA512
5b9e671ae42453f7fe2ffa2e1df0fd7e91aa9efd3947be11367f5d419cb935212e5115ff6a5feddf922e8b5223bcefea416ea812475c7d9a0f240e39c282fbf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
72838d06617e4d8f011a3f4d72946b7e

SHA1
bf5a32dc75bd848f616c15d3abb539ebc6daf55e

SHA256
fb20f3be31df4e0b1793133b4df0830b79ac214368fd6608c31a6a1d01161c13

SHA512
3593a1b86668c76e992faee5c0d3fed1b36f34ef1a53ef6fac10effb4c6bdfafcd144a83d5f89e76a2a3b371f8aa6a83f7da2aa084a3803f9ca55678631e5a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
8c9660e828be83dbd6c0d90bbc525daf

SHA1
74ab47313388758e070d6073c1161ac5654b336d

SHA256
bdd4736240c0a1a11688d0954353f055e2b05fb6eb8c91b4d9bd146ce1ddba17

SHA512
57121552c96bd85f4d3ea1a7033a147822d04a1015295e21777616540325871025eb6171d53ec911846b487e8ec1ce2d2ef3367edf28005d50636245f95df7c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ee47121315ce688666f4c87c0525b0e2

SHA1
96fcf4581e197657e8e202880f72631effe717ad

SHA256
d88575d2c977dbb23b5d7199a41cc5a8a16fae79b0139b1a283f813d7d4746f7

SHA512
b9e24ed441b1129ad693be939949f4853755617ce96d28266fc2f8869e0450286c0728cc349dae4bde395f502ba549b28ea3eb29ee8f3179a0444501ed8b0eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f3b2e5bf3330b33952fbdf8575b58dae

SHA1
a76d1362741e48683dcdc617f51e14fbb9166478

SHA256
097c4d9fc891c6a7d5dd8fc030477548632c6b60fd41d8040e697c809f61a814

SHA512
33adbbd336287ee348055c2d10b7c7be85be9f57ec7f3f616a2bcf88eac7e7a9caba0c826d54832ef05f36d708ec5bc92c64acf5bfa15a0a6a687a61466e226c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
095c436843bbd83d2167d68cede54d5c

SHA1
7c56b69967add315104f02221b9b58b6cc7bd28b

SHA256
a0e899c1f4cfc0dc8c31031610f51bdedaae157aa9452f4d8ac68743e7c5ed10

SHA512
4ae8beff8ec4fcdbb26dd5ac5d2893cde74b1d1efe2cf88760cbb1984516494e92858626510bd30a0a6eb9d1b2935fef121b6a10835a42381c494227bd5f838c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
1fb278062aad96ebe30207b4d576efbd

SHA1
591d3735ff296bfa82fe41e27ecf14429faf079b

SHA256
df69495ad4eb575ebe31d8ff126df2069699527a0cf79a12e6829fcb0f9be776

SHA512
46e5bb671b8d92454b3645e89debecac2fd9028304205ab2bf13e1209a0f6e89db8aa684b7df98e7a8826aa330ed3017409ea8c725d4cddf929eff2976ca3b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b053729db2afab9c49108f970ae087ee

SHA1
6e8bca47a77713e5448c2e227ebf91757756c2e6

SHA256
1180d2b251129d71917546d7d65b3de46807fb3808d92f5ae2ec319a486aa76f

SHA512
8a0bc237146a3720d5fbedb978f6a4d211030ad47c47ec94980b7ff68b03868c9591554f7da8ba83ded93bc5626920b072d26945326c9c293e2868fd9584ca4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d1059471a34967ecbc012fd0fd4c10d2

SHA1
3b0915f264eb9c16fcdc2b32d275c48a5397e7b0

SHA256
23927a4bedd41abecc25a70272f514f60c58455395157d1d03cee5a04b5a18db

SHA512
33ce3c8f9e18d41b666fd89c9659123588028b3bcd504b0d0a1a499301aa5d6ccee8663ebb754e8267f5f790c156b8eea27b2e8425ac5d18f7857f2dda693497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
09536ce13bb014fd38a1ee1582937159

SHA1
88bfbff0add0bfa0af7c9e88ab023751a0ea8c7b

SHA256
16b82c4d48efdf801255da153ae22d48549c1fa2ca3fcc9b2381ff74079668c0

SHA512
ab2127dbf194ece988b4699d10f793b625398a371823024ae87d149a7245bf1e62f5368c0c317edfec9631ec0962a24636ecbce04b54a4df328d91d3ac7bdb06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
95d876265b1e24de3b6ac20f78a13b06

SHA1
5e533950c55bdf1f0b7b4f256f2311b47a607c82

SHA256
d1cabbf35f982d4cd1a8d6ad67bcd64a99059f13244104c00bea0e7f20032f15

SHA512
495a3901da1bb9fab93f373f1ae9ec4c262dd8b55bcde22ab893215a46d3997302d83f082d9f236184cb4cc2e324e65a16cc7799a7ee7edf8e7dea2c741c5746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
cc2c58f43b4ada203939b3725cc28bfb

SHA1
b01b29d35f484605e4c00649ceb8f23f62c6964f

SHA256
b4b13853031d1d30d368a2712907b388591d959dbb35580bd18bcc67aad1a8db

SHA512
1eea8b4713195f0eb44abcbd3982f7d6517e1a58319fda42cb8d53e95541bd0e24e823d226253224bfa21f950f92017fe9c2cebbd56c35f60d340e2b98e7a913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
24c9752e9694a4cd37875916a1d31886

SHA1
fab51a9588809925782f6e724db25aff50818772

SHA256
3fb1b0efa87753ba98cc6e21741eae63535b888b80aa77559a48b2273f67b7c7

SHA512
75eb34784a8e7902aefbaa282c595cf3b705c092ddd9c11edd0b061de8f46f0597b0c1fcfc7317d7b2f33ac4c379195b652e51b37df142d4fec517ad7bd54da9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a26b3.TMP

Filesize
370B

MD5
481fa4e5805156474a6ef8002f05593a

SHA1
1aadacba5cf760891ce6517b1f72f8a4833b2ab8

SHA256
69992f4ca9518f6b33dae194e25c03dc97ab9fdef0105289bb42c08fda781d06

SHA512
de256f40b7927422bbfac4eab8cd02e02d58eca1584bb7690671bc3db0283432a328dbce158eb211077ca927fc37f573367251c519b12220abe5d8f86785ba77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
45c7d5ab34af826c033cb7c30cf6b344

SHA1
b59bb65fd71adba58d1e06717a3436e5b39a1bbc

SHA256
1e13d9c7b4e4b990401ea352e10bf14c105143b8184cf5f993c4bee5113cf0ab

SHA512
3f04491d4c40e1167508a8a262b4ac90cace629fdddb18723e65638d525f53693f54223ccfb338f29d7a9a661230b9439156230bd2e9c75a1fefee18d78d8eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a5026740e35f08208c3e0f7718a7dce6

SHA1
4070c540ab6385823c514359211719ef3989e894

SHA256
8f594bd70b5d09ded91c775647985fdc0e9f89e0a67f4cd305ca1fd65da01d96

SHA512
89cc4e673735a3d1642265465a289459b4c63629634a7177b39a16a235569def83b6e18dc6f521fdee32300dee36044a33f18a671ea814ac5b6e2772fc7fe0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\AssocProvider.dll

Filesize
136KB

MD5
702f9c8fb68fd19514c106e749ec357d

SHA1
7c141106e4ae8f3a0e5f75d8277ec830fc79eccc

SHA256
21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358

SHA512
2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\DismProv.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\EdgeProvider.dll

Filesize
200KB

MD5
c22cc16103ee51ba59b765c6b449bddb

SHA1
b0683f837e1e44c46c9a050e0a3753893ece24ad

SHA256
eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b

SHA512
2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\Ffuprovider.dll

Filesize
680KB

MD5
a41b0e08419de4d9874893b813dccb5c

SHA1
2390e00f2c2bc9779e99a669193666688064ea77

SHA256
57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3

SHA512
bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\IBSProvider.dll

Filesize
84KB

MD5
f6b7301c18f651567a5f816c2eb7384d

SHA1
40cd6efc28aa7efe86b265af208b0e49bec09ae4

SHA256
8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61

SHA512
4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\ImagingProvider.dll

Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\IntlProvider.dll

Filesize
312KB

MD5
34035aed2021763bec1a7112d53732f1

SHA1
7132595f73755c3ae20a01b6863ac9518f7b75a4

SHA256
aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731

SHA512
ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\MsiProvider.dll

Filesize
208KB

MD5
eb171b7a41a7dd48940f7521da61feb0

SHA1
9f2a5ddac7b78615f5a7af753d835aaa41e788fc

SHA256
56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55

SHA512
5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\OfflineSetupProvider.dll

Filesize
213KB

MD5
3437087e6819614a8d54c9bc59a23139

SHA1
ae84efe44b02bacdb9da876e18715100a18362be

SHA256
8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74

SHA512
018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\ProvProvider.dll

Filesize
800KB

MD5
2ef388f7769205ca319630dd328dcef1

SHA1
6dc9ed84e72af4d3e7793c07cfb244626470f3b6

SHA256
4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf

SHA512
b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\SmiProvider.dll

Filesize
272KB

MD5
46e3e59dbf300ae56292dea398197837

SHA1
78636b25fdb32c8fcdf5fe73cac611213f13a8be

SHA256
5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339

SHA512
e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\SysprepProvider.dll

Filesize
820KB

MD5
4dfa1eeec0822bfcfb95e4fa8ec6c143

SHA1
54251e697e289020a72e1fd412e34713f2e292cf

SHA256
901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494

SHA512
5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\UnattendProvider.dll

Filesize
256KB

MD5
7c61284580a6bc4a4c9c92a39bd9ea08

SHA1
4579294e3f3b6c03b03b15c249b9cac66e730d2a

SHA256
3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8

SHA512
b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\Vhdprovider.dll

Filesize
596KB

MD5
8a655555544b2915b5d8676cbf3d77ab

SHA1
5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2

SHA256
d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27

SHA512
c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E65E636-8584-4195-AB2D-D86F97DECECE\WimProvider.dll

Filesize
672KB

MD5
bcf8735528bb89555fc687b1ed358844

SHA1
5ef5b24631d2f447c58b0973f61cb02118ae4adc

SHA256
78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c

SHA512
8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f2cimj0c.yax.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
130KB

MD5
b33f2e65677a256b37e75340c167f54b

SHA1
735c404466aea6a70e653a6706cdd0b4d65c0aae

SHA256
77e81f19ef02e620898b53a308d502042b9ae732d9741b99062a1baaa164dcd7

SHA512
cf1bfefef47d5cee5932fc9cccf323f87640912225cb5b0f93442929fc96f32edccad48fd8c95def9be64fa62c750add4b53448e3e4a2e854f8940be7aaefc8f

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
263KB

MD5
5ea29ca9a1ffdc5f169d409832fedace

SHA1
8cb44501a4787d13c76912867dd5ce8e099566d1

SHA256
c015614ab9e7b5c8fb8b1865666a77ba71ef60d4799dc44d5727925c23d0e4b4

SHA512
379d7024c7d117e7661c2a423b51153e9ef0d9f1919acd4474f9a01f0a1c357a0f757436cbaddbf4862e1bb000553172c1ba964e6d26a8e268f0a0a378bb5593

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
266KB

MD5
a2aa371d4699a40ea9af3a8a30c4d6fb

SHA1
c2012d2a6e1662b6b9a265be1a2dbc9fa629895c

SHA256
1bb66fe745edc208f3e1a683dd1604d89333d10c4c00cd3d3abee17f6f1f379c

SHA512
ea292a932e1c79d0b7ad35dde23f58e24331050e7d5b448a8661dcef8b011a4577114b3bdacd09638419a6c9fde4ad0c29f1759ea4350dd666d7f306f2e54c58

Download Submit
memory/1728-939-0x000000006F350000-0x000000006F39C000-memory.dmp

Filesize
304KB

Download
memory/3360-875-0x0000000002D90000-0x0000000002DC6000-memory.dmp

Filesize
216KB

Download
memory/3360-879-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/3360-905-0x0000000007970000-0x000000000797A000-memory.dmp

Filesize
40KB

Download
memory/3360-904-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/3360-903-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/3360-901-0x0000000007580000-0x000000000759E000-memory.dmp

Filesize
120KB

Download
memory/3360-902-0x00000000075B0000-0x0000000007654000-memory.dmp

Filesize
656KB

Download
memory/3360-892-0x000000006F350000-0x000000006F39C000-memory.dmp

Filesize
304KB

Download
memory/3360-891-0x0000000006B70000-0x0000000006BA4000-memory.dmp

Filesize
208KB

Download
memory/3360-889-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/3360-890-0x00000000065D0000-0x000000000661C000-memory.dmp

Filesize
304KB

Download
memory/3360-888-0x0000000006110000-0x0000000006467000-memory.dmp

Filesize
3.3MB

Download
memory/3360-907-0x0000000007B00000-0x0000000007B11000-memory.dmp

Filesize
68KB

Download
memory/3360-906-0x0000000007B80000-0x0000000007C16000-memory.dmp

Filesize
600KB

Download
memory/3360-878-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/3360-877-0x0000000005710000-0x0000000005732000-memory.dmp

Filesize
136KB

Download
memory/3360-876-0x0000000005A00000-0x000000000602A000-memory.dmp

Filesize
6.2MB

Download
memory/3360-908-0x0000000007B40000-0x0000000007B4E000-memory.dmp

Filesize
56KB

Download
memory/3360-909-0x0000000007C20000-0x0000000007C3A000-memory.dmp

Filesize
104KB

Download
memory/3480-1218-0x000000006FF40000-0x000000007193B000-memory.dmp

Filesize
26.0MB

Download
memory/3480-1217-0x0000000072180000-0x0000000072726000-memory.dmp

Filesize
5.6MB

Download
memory/3480-1216-0x00000000720A0000-0x00000000720F9000-memory.dmp

Filesize
356KB

Download
memory/3480-1215-0x0000000072100000-0x000000007217A000-memory.dmp

Filesize
488KB

Download
memory/3480-1214-0x0000000072730000-0x00000000727AE000-memory.dmp

Filesize
504KB

Download
memory/3480-1031-0x0000000001A50000-0x0000000001A66000-memory.dmp

Filesize
88KB

Download
memory/3480-1052-0x0000000037660000-0x0000000037670000-memory.dmp

Filesize
64KB

Download
memory/3484-912-0x0000000005AC0000-0x0000000005E17000-memory.dmp

Filesize
3.3MB

Download
memory/3484-921-0x000000006F350000-0x000000006F39C000-memory.dmp

Filesize
304KB

Download