500cd8d0e8d7eb3cf7da63dd93978bf36a07fdc6b5a844de30cf84ccb38eedc4

Analysis

max time kernel
300s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ar_1101_ld.exe
Size

2.1MB
MD5

2b259cd02570e0d7103c70fe9a9e4d17
SHA1

035fe918c59274c1fc662e7d88d0d92d1150fa19
SHA256

500cd8d0e8d7eb3cf7da63dd93978bf36a07fdc6b5a844de30cf84ccb38eedc4
SHA512

2547a8b631ca07270668741612a8a0d3935008a98ab538f6a14fb1cf3e8d2d82ae7bbe9fe22a495b32ee16b038aaa268b2750ed42705fbf6d080249279cdcb27
SSDEEP

24576:Ezvv2Jddh0hXxwQNBH5ffUX5zAEefc5Urz5Eo7zrrdXbETyLAyNBN/8LcpmZQ4J/:22e1iify35cdrrFJAWb/8amDe8hSSw0r

Score

8^/10

discovery execution exploit persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETCAPS\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
6044	takeown.exe
3548	icacls.exe
4668	takeown.exe
3768	icacls.exe
4544	takeown.exe
5004	icacls.exe
4016	takeown.exe
932	icacls.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3768	icacls.exe
4544	takeown.exe
5004	icacls.exe
4016	takeown.exe
932	icacls.exe
6044	takeown.exe
3548	icacls.exe
4668	takeown.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
50	3164	LDPlayer9_ar_1101_ld.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	LDPlayer9_ar_1101_ld.exe
File opened (read-only)	\??\F:	LDPlayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
237	discord.com
234	discord.com
235	discord.com

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxProxyStubLegacy.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\load.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCAPI.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\comregister.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VirtualBox.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMMPreload.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2548_1685096716\manifest.fingerprint	msedge.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxHostChannel.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-process-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dpinst_86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5WinExtras.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstAnimate.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5OpenGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCpuReport.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2_utils.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe	dnrepairer.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2548_932473204\manifest.fingerprint	msedge.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe

Executes dropped EXE 14 IoCs

pid	Process
4696	LDPlayer.exe
1476	dnrepairer.exe
5148	Ld9BoxSVC.exe
4244	driverconfig.exe
3360	dnplayer.exe
5032	Ld9BoxSVC.exe
1804	vbox-img.exe
5696	vbox-img.exe
4792	vbox-img.exe
5104	Ld9BoxHeadless.exe
4764	Ld9BoxHeadless.exe
1600	Ld9BoxHeadless.exe
5400	Ld9BoxHeadless.exe
5920	Ld9BoxHeadless.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3268	sc.exe
1916	sc.exe
4108	sc.exe
5668	sc.exe
3872	sc.exe
3216	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
1476	dnrepairer.exe
1476	dnrepairer.exe
1476	dnrepairer.exe
1476	dnrepairer.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
5148	Ld9BoxSVC.exe
4484	regsvr32.exe
4484	regsvr32.exe
4484	regsvr32.exe
4484	regsvr32.exe
4484	regsvr32.exe
4484	regsvr32.exe
4484	regsvr32.exe
4484	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
2232	regsvr32.exe
4032	regsvr32.exe
4032	regsvr32.exe
4032	regsvr32.exe
4032	regsvr32.exe
4032	regsvr32.exe
4032	regsvr32.exe
4032	regsvr32.exe
4032	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe
1148	regsvr32.exe
4244	driverconfig.exe
4244	driverconfig.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe
3360	dnplayer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ar_1101_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6052	systeminfo.exe
2340	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875587383844163"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89}\NumMethods\ = "17"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E1B7-4339-A549-F0878115596E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\ = "IMachineRegisteredEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486E-472F-481B-969746AF2480}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}\NumMethods\ = "31"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E191-400B-840E-970F3DAD7296}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\NumMethods\ = "18"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7997-4595-A731-3A509DB604E5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DAD4-4496-85CF-3F76BCB3B5FA}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08a7-4c8f-910d-47aabd67253a}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A2-41AF-A05F-D7C661ABAEBE}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-057D-4391-B928-F14B06B710C5}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\NumMethods\ = "26"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{20191216-9CEE-493C-B6FC-64FFE759B3C9}\ = "VirtualBox Application"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80f6-4266-8e20-16371f68fa25}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-32E7-4F6C-85EE-422304C71B90}\ = "IEventListener"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}\NumMethods\ = "31"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1ec6-4883-801d-77f56cfd0103}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0126-43E0-B05D-326E74ABB356}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0126-43E0-B05D-326E74ABB356}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\NumMethods\ = "82"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B}\ = "IStorageControllerChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6FA-430E-6020-6A505D086387}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}\ = "INATNetwork"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\ = "IHostVideoInputDevice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00C2-4484-0077-C057003D9C90}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9849-4F47-813E-24A75DC85615}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-057D-4391-B928-F14B06B710C5}\ = "IGuestFileEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\ = "IRecordingChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ = "IGuestFileIOEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\ = "IProgressTaskCompletedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\NumMethods	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3164	LDPlayer9_ar_1101_ld.exe
3164	LDPlayer9_ar_1101_ld.exe
5580	chrome.exe
5580	chrome.exe
3164	LDPlayer9_ar_1101_ld.exe
3164	LDPlayer9_ar_1101_ld.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
1476	dnrepairer.exe
1476	dnrepairer.exe
5588	powershell.exe
5588	powershell.exe
5588	powershell.exe
4828	powershell.exe
4828	powershell.exe
4828	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe
4696	LDPlayer.exe
4696	LDPlayer.exe
3164	LDPlayer9_ar_1101_ld.exe
3164	LDPlayer9_ar_1101_ld.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3360	dnplayer.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe
2548	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe
Token: SeShutdownPrivilege	5580	chrome.exe
Token: SeCreatePagefilePrivilege	5580	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
3360	dnplayer.exe
2548	msedge.exe
2548	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
5580	chrome.exe
3360	dnplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5580 wrote to memory of 2408	5580	chrome.exe	99
PID 5580 wrote to memory of 2408	5580	chrome.exe	99
PID 5580 wrote to memory of 5812	5580	chrome.exe	100
PID 5580 wrote to memory of 5812	5580	chrome.exe	100
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 4572	5580	chrome.exe	101
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102
PID 5580 wrote to memory of 3488	5580	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ar_1101_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ar_1101_ld.exe"
1⤵
- Downloads MZ/PE file
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3164
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1101 -language=ar -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=524814
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1476
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3448
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:1784
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:4728
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:732
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:1032
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:3100
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4492
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:3216
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4668
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3768
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4544
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:5004
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\Users\Admin\.Ld9VirtualBox" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4016
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\Users\Admin\.Ld9VirtualBox" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:932
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5148
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:4484
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2232
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4032
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1148
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3268
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1916
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4108
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
    - - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        5⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:6052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4556
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4244
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6044
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7ff89a61f208,0x7ff89a61f214,0x7ff89a61f220
    3⤵
    PID:5600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2084,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:3
    3⤵
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2004,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=2000 /prefetch:2
    3⤵
    PID:5756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2548,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:8
    3⤵
    PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3476,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
    3⤵
    PID:3204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:1
    3⤵
    PID:5520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4948,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:1
    3⤵
    PID:1464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5080,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8
    3⤵
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3516,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
    3⤵
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5628,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:8
    3⤵
    PID:1804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5596,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:8
    3⤵
    PID:3736
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:8
    3⤵
    PID:5548
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:8
    3⤵
    PID:3716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6424,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:8
    3⤵
    PID:2532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4828,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:8
    3⤵
    PID:5172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5680,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:8
    3⤵
    PID:4664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3828,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:8
    3⤵
    PID:4012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6068,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:8
    3⤵
    PID:5244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5816,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:8
    3⤵
    PID:3164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6560,i,5968298921202128279,14599620831083360471,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:8
    3⤵
    PID:4388
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3360
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3872
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4296
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:2340
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    - Executes dropped EXE
    PID:1804
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:5696
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff89a79dcf8,0x7ff89a79dd04,0x7ff89a79dd10
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2040,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2016,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2564 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4320,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4348 /prefetch:2
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4712,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5424,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5648,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5872,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5932,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5572,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5468,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5984,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3492,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5436,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6028,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5724,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4952,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:5588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3224,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4832,i,17889669628731375992,2833629223264272054,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4808 /prefetch:2
  2⤵
  PID:4728

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4dc 0x4f4
1⤵
PID:1052

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5032
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5400
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCP120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
1ea48ba4040743ffc511b0cc923a178b

SHA1
72b76002087d62c9580ff2a1655b41095826acc4

SHA256
1e2e3ca8d4bfe01a68586e3568b8964eba8bf92a6bc19b7c245865ad9ba7280e

SHA512
20bc651739a267514cf2b7d158c2d0a56ac0251fe8c5f79eed7d88f6628d92d3bd3b697a6c958fb1f46f853c6defa204a6557996ad9d32a741e787cb8188026d

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
c4e98fdba5d3b3a95f96abf279bf240a

SHA1
c6bce2c2ae044fd4054a58f2fd9757252b4e9afe

SHA256
1f817c6cf7ba37f0d89e45640639e1b8256639045de98bfa63f17de3f4eacb16

SHA512
799cfbda36d41e2029b1d13a600807731cb230b2ceb96f2b77a260f4ea174af810ba1e64dd04d43a38f9caa6775ae0523c61f614e5b8c857433cb02ae06ef5ac

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.7MB

MD5
b668762c83ea3cb69a400824e3c56c23

SHA1
087621217249a70dfd7cbf2c46ee7a3053636d9d

SHA256
c167875d270e8a307dc7c125a118d2fce8b61425dded1bff0486115e6677afb9

SHA512
819928240e9f005cee2101f84d7c27bd1036f625d77ddd12f672b54d993fd4bdce32189f369f18ac36786b07d8d6602f281aa5888db7a86f92ee5ba2d179ec29

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
10b376bf925c50a88096b601abef4d80

SHA1
24a3d1ecb2e0087b2140c6674453fcf9d82cf150

SHA256
13a241b6d1144cbe2e11c9d46ebd26a649f574db8c4bf1a98a92fbe824038912

SHA512
fb7dc9db718dd94c7d275388aa376ca219b8c865d6a05b6392d5acc964c67980458ef2ad7746ac8589e01cb95e4830c7ca0301c15300de1c6c02d2a8bf52bde1

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
ba84bf6204db711f866adb2841d5c91c

SHA1
807a03b5ddb07b9e8e30c8261e3ba5514cc537e2

SHA256
dad6ee5a8b12b9396b56d827fe91fc8d3f9468428e32902390c0ddef596f2f26

SHA512
ad18d5a353add4e7ffc8868c9ce62ebea947531684e4a054dce116a97a8397dfce39dfc7744cf416fc1259035824645a8ae71b4eed9f8fd5d534c29995c0578a

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll

Filesize
18KB

MD5
cde2424d99db56dd0d1eaf34811738c1

SHA1
cc7889c43729b93a4e193b2fd6ae5f22b6ad6b8f

SHA256
4ceaf28cadfd0929b44e9c686b93432a7151504c8ffe2a6afe516f9b16538131

SHA512
d5b8ef2de3fefde29b2c9cccb330c3076ba71d6ae29e1b34617057d8a832d37eae8e2f238e2abb6eb226453c00a835c669a7c03a00cd1698d02272d8eb6998e2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
17KB

MD5
acf4321ac8c8ff4d0442c799d621f8d9

SHA1
b12f87e6afc48697f1ce8b587715361e89b79cae

SHA256
69b84f7318798a91143e3d273ae9c0bedaabba930e3702447d493e2b8dd70725

SHA512
7878a7cd62f9d259a6bab05e13e9ac5b16437c0d8bda46e864f205465ae19531e5655d7547ae1594a53a05ddeb8b0c6058a73caeb21cd7c81fe5a424303d3bde

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll

Filesize
17KB

MD5
3c47c25b8141d20b2b4d576000000a61

SHA1
04543f9cdd847ff66389c9fd1e12b444dae6383a

SHA256
290030199e8b47d6bcf466f9fc81fee7e6aebc2c16a3f26dd77019f795658956

SHA512
c599ef06045583b28faac051909c28f5f2fa56c34d47f3bd49efc101a1cdcb571a298eb100d0b381e3ebb1ba19b2fb4dd5127f259eb8ab183753722ecbe0f10a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
18KB

MD5
e05ce0232e64328c62c9da37698566bf

SHA1
50c25e6ecec2cd17ecf3117bb9a646ba107d2b84

SHA256
573aed3f3eb436f9b7c24d51be3be2105deb8149ebda9b964660930c957b2410

SHA512
8093bd5d1ad96d759a5d9183fca27d7cb756e0884776673f132d20119e602ea33f8121893b9b90965b0eb5710e244faf4e2ad738479998fc2c5dc37f83fe18cb

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll

Filesize
21KB

MD5
a26c7ffcf18b62904dab7786de638ea6

SHA1
b28489bc38ee2f522ee83dcf49faeb96f39a77e3

SHA256
74075b7af84378cee0d035c020b320ee52a120b21f71a4972093c9e23d534830

SHA512
768c8d7818acacf83d8bd020ab239408673f6cf9e0e8f1be1dab2dd58c5df4e45b970baf7d8d09887280be0788790eacd6126274deaca6b1c4b7bad3e335b34f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
6a55a7e284b51b086b63cc6f2061ce8b

SHA1
46a48a1ccf5262038b71ed4be09cf625009d078d

SHA256
d9973270a952b4ce615104520051e847b26e4b1cc330a5a95ba1ae128f0dfdeb

SHA512
6a6ba643bf15581cd579e383bac351ccae714d50453cff52cac7dcf5bd472a170e7d33b0509c7bd50c5e76e8a0304fa88dcad63a9e2cd0694a5c56f4a21ae363

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
6e38a6bed88e1c27155e4dc428188ef0

SHA1
8b47a1960ed157f7beeb80fa4a16a723279c4efa

SHA256
144d3a28e43e47fc1cce956255cc80467d4a6fbbb8f612ec6d85f62de030a924

SHA512
3b801875bc5a483eea6d6cc43015e759ee1f66c12585f698cb92368455f25b5309617c8beae39945cadb57009a9c9a9ce21c18dec28e86097c67d8fc5f9febab

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll

Filesize
18KB

MD5
9304209688e2a18d0b26997bc78fda7a

SHA1
5d4332cf1c5123418c6419d0291486c3939e8785

SHA256
d6bc1509fd2d4ea07e661f2f59395b4d71907d16f59942443a5d460df343dbf4

SHA512
5952e192b6150055bc88e672fb0254bc962abd27afb5c30cd0f52ede98ad84eba9966d721b3b6602116ff40ad5c489a24eac35dde77397db88aa46ad2bd18960

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll

Filesize
18KB

MD5
f42a84d78a5a15ff1a4dbac591e95783

SHA1
1cd5b5e68fd729bdd340463b53728634d342b0cd

SHA256
f60267cab87dfc1accf912c212186112aba38742f621549d6bc8d67e217e7234

SHA512
89ba6571df642dbac769c72914b30f2d27107f023a9e1cbb0c6f5412b6a69d414cd99f29de07d06592c7ab9cdfc558f3b65b7050921bd442c01417bac0a850f0

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
18KB

MD5
9f286e57e5b1c1a347adf9eef059ad5d

SHA1
631aa1aa364234acc5ad20b27f926e9cb9ee4276

SHA256
f93ddef4ac14ef778790f3f00057ab6cafc0c99dff52cc24f523d63917719970

SHA512
6df20707ccda0cf9916b7c00b11a4a82b47a0f6e87c6eba0f38e440e143b4aa6e5b48f67d09a9eeef75da2aadfbb5abc7e62362f50d674bb8a532e290699a197

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
18KB

MD5
beaae8294db31afa04fa60795c6e02ae

SHA1
8a32ebd843e461864747fe0aebf4bbf83c4ec093

SHA256
f8e8d85035bcb478ce2ab47a6476a8c756a7c8fa05bad66b9a03ece6a2ced141

SHA512
dd1a75943401ae5d20c9ee023ba77000db9433a643ec2f102cd3a72faf274deb3611954557c81120d81ff447f86b7309cec1c9005ab37ed7bb48d6e6c239b135

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
2ac1289e4dbab076b332869bef26d3ce

SHA1
60570ddd06b671e26c6a814b9c08cdfa0ef38aba

SHA256
6475f20f46814d28845c2fa73e9c283a8504483fa16d911325588c778cf76c26

SHA512
e226fb4739d66e2c4624a9e01ec00dbe3b37dc96995eec35660208d76a9e6758a2a29be1b7986d14074df23ea0fc39d2ce121b7bd32c553371c1b15ff3e2ef7a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll

Filesize
18KB

MD5
a2661a468bb87ee9cc5dee968fd3805c

SHA1
9b17fbd552e34888f1453f9113ff4c42efaf6d6a

SHA256
dc41da54e717aef60228ee11d10669c31d3ddd532eee9ecad944c09b71b762dd

SHA512
b5c01cb3c991fcf8945c764b853f8a32fce324f01562107e086dd998a1b31f9285a0d645c96052b94c955f3626691c3ca2cc9e04d8594a0a7c042530549f1aa3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
18KB

MD5
acbfc011d5842ba60c372ba3d222ab70

SHA1
16b8014060a04bb03215f6ce4c118bae48653bd5

SHA256
b0ae48eb5ff51fa038e1ed23c7c48d266c20c2af3f9907ee6906bb0346df7f9e

SHA512
dce34d64e6674b67c7c6e7c34886c1ede2967e6af7cfe2addfe51fcf70780a33d7308e7ce81a80149034b8f910c045b3ea81f458d9227448fc4b339dc05a59d3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
19KB

MD5
19d14d348ac38737431a7ee2f82973e6

SHA1
11cd8f5dc5c08d133b9b006da5c84946f012cbb6

SHA256
1cd9cff9f7d24b22993a207cb81f15ce2792fa5f941e77e8280db00db6a273ae

SHA512
b3bf7426150bf3b933db4670db3b7d22530c7087efeeab0ddacfbb0bffc01aabdac68e535c7298b13a42530a1aab2340203874b5382581f59309ec9465f6a0cc

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
20KB

MD5
ea0e13feac13dc18c79eb682bef4676e

SHA1
b9db47624345c68cf07bd2677df537e0f975caf9

SHA256
2658242ccd090181ed944f682c435e5fb880f3b21d1811d43b93478901d701b0

SHA512
540b9f8b18d42e551f13de3d4a6f0f821ea23e4c85a6346b84e8b74d02cfb5413355d126913699208faefd67680c52cdf4e6ecd66fc0cb4753ee603fe9763df7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
1af2a91dc0a4e48bab0ca123073adf30

SHA1
cf6625fd31b17d46dd31b16372840c74026d0ba2

SHA256
ae574c9b8a2467c3ee0ac3e862255e93a02627bce146ad7b720b99905dc224fc

SHA512
45103c51fc655f608e687c8e9db24c956d12c63b0497ced3817aee3d9f5fadf0741064ccb49ae71fbf377228af315c961fa414221731ea4892425ed4939bbf51

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll

Filesize
17KB

MD5
9b9d1949b75df171884f6f8caba7ff59

SHA1
411adf413f53c56488d5cf68e9b4b692889f3c4b

SHA256
cffb2007c31932b092cda3a0a39f1cfcc5766b6a1c05e5eaeabc53660cbbe786

SHA512
dd2110a2406e9cf70e26076ff4bc41f5478ece318ac48e8c7d8101e14c41284ddb2ea305560e1fa27d70925525553969fdcab243b31c0fb5ac460e1f00db2b7c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
18KB

MD5
c6e268c877a9be5b43877308b1231120

SHA1
949105c826dee6a32fe1288285e3e41cb7d04821

SHA256
eae3cd8747da3b435846901a1dbe0e430666d3d8d7ba6e54307cff5d6ee0592f

SHA512
776fe5cc3e5eb7ae9c20e15c6c5bce20fb2a0e9e81d260a08dc41860b3967c7abdc3142786421f349ebe9c43a12e261a34e3e176535b8e04545395279c439331

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll

Filesize
18KB

MD5
5122b8aa14a25c8567d9d0335036446f

SHA1
81961f2c8a331136f8156930779964a71e0badc4

SHA256
7b5393e2cb79f0396d5d97510e8f0955a2586aacaf60eb8de3676006cb81dc5c

SHA512
758ff98f838f3ca03ef6a9e5a0e39732afed73f4d15dd7d7a1a842c36ad00a859541b4e977af513ddcf970ed994cc27b11654ddc0f15fffd83bdbeff43084cc9

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
636B

MD5
9f5fe3bfd6f8ede27b0716c88a8f8c72

SHA1
d01e02646b8c5f686f5405dc3b9d07131ae10cb4

SHA256
24ba830f626572361a316f18cf08436bdcb3a2da02bf03f020e51669332e69a2

SHA512
18c0b25a8c5227e23afc0f5ae512e212ead1a96b9ee17290beb20bebe5db96bbafce33f5efc101eed5d9c61b919258e0797554ee810fe8f852e6e753813097c0

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2548_1685096716\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2548_1685096716\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2548_1685096716\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\772D055D5E4421B179898A4E6FBD9ACC

Filesize
471B

MD5
6a6826af24753af0154be7ddf9d7c2c1

SHA1
980c9b7926ce911f771ba471cceb95a097c58924

SHA256
72a263d1d9871d1cf1d962ed3bedcb374f839edae97390b8f09bd8b7acc7e5f4

SHA512
21a38e74245650662ab498992a42ebe3d8ff2c641c3edc20f4e055656f5ebae1f843ab54b2b2a0ab65e5814a411b1c499efcea2c8cbed4946d01651f49fa5da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
0ec985766eac8573459c891e54d197ff

SHA1
eba6d15879ff2061adeba5c551740f3835f64b09

SHA256
0f449d2a1839ddab7e4e1cc4cbf46f551955a05124fa59f09a8079eab998bbbd

SHA512
1cf73b5a43c9673a0071965f05e2ada3ee5ea9589977a663d6d809bcb78cf615b056ce353c1159f5c4e11b1eacbaa9c8c1652726523117841006a0267aa0e53f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\772D055D5E4421B179898A4E6FBD9ACC

Filesize
400B

MD5
3d752e5d008928cec6e525eacfaa2375

SHA1
91bb254558334e3c857921221661b5e6806bddf7

SHA256
b73df87f49c4c353f6c02a60c55a6f26d83e5c27975379b930ecdbb8fbec5927

SHA512
ac19c6921089293bd94bdb9f34c4d6668c5b26130dd05a0456d215ce3ab916c2e73d417424d7f3537aba66369257951dd06dbb7b813ad2e7c04401deacf5d9f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
404B

MD5
058a58e747bdabcc8ba4eb3c5429fd79

SHA1
c9178cfb78e72c5430ca4085ce5ea0b66585142b

SHA256
19122d9f17ed14055e7cc18a16c56ae72301c6a04690495104caf022abd7662c

SHA512
0125af671dc17942f212903a4d047b0e5f8511bac68959f61ae55affd3f373a1f1729420061b4800f90e27e6a8003d488e27c4e47325377228625a02faa453a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
175a0d0f76fa17f6470528385655f963

SHA1
aaee78bb5793eaba7edf356ac1b5a71820cdd208

SHA256
0cefcc735b1f80846a0dc751a8289d45c74de1010f22d4f32c9c606bc57fb88b

SHA512
79da4165b4ad0dcdf22578d42d575c5d5a457b7c179654fa4c93ced110af08050ccce5c34e95a5a77856b076f6c1823b3a24345db2e1c00640bbf7b644f4132b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
f3adb809543bee823c11944b085d1749

SHA1
b337f210ab94699c2f3c5b9dda778f4b2070a167

SHA256
9673aa49d485fa945ebeccaffe033f73f69506fde730032d8f32549f97a23466

SHA512
99678d181129a44a780ec657e02ac28e23dc2c0b59d4a8b3b8938ec9e89647ae91376b48441c43cb3164affc474aebf29b0f8c153f311b5deb5a7b095245c58f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
c2754adb709078d56a5f8bf1393109b6

SHA1
3cc32a33c3d0b3559721cd5216f476d7907eb6aa

SHA256
063b80963387d788df2a80a99505287aea31f4ea8af4754a2370f87dcb99c2ac

SHA512
48f8f284171ca384ae1406158aff849d9b9ed488ed5528f3b7a6ccf3f52e939f132fb13f2afa8cc9083c805c3a5c33e548e3226f0db14f1611a8147fe5835ad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
86ef510edaf9be6e921a55a1f29898b5

SHA1
c821c9ad86fa3a48c79f36ed6032862886b7f833

SHA256
b0f84ba394368393493fd9fb4bddf7a22573c221cb7b8f3e3ec2bf61496b9134

SHA512
572d2cf4ad7d2f7f6d7db3f8fe2e26213881f3d7632b12a2e35d81012b0f031ad0b9ee6dae3ae97ca4102993c6bc82544ccf161a4c0669e67741be22bbfa14c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
da3a8320dc58e32df810dfc5b39e34d7

SHA1
d5d7fd09a0e7bd11865b8bd38f81c71cf6bca44e

SHA256
2f0625b358e14c2b74ab1aa02bece64d8fed50f3e233328a7bf05f58c5f23358

SHA512
5a4d82e0ca693b574d955af4e1445ba8e6558991acc6821aacf391f1a38420f47f3b155958040e62624b8e6e2cb3b2e525e32194e77be0d49a6af4f9b82d2fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7bfff23a6f68e1d933cd04ceb30e8945

SHA1
28d6232fb27169dd6bd2c8680870f1783b60b629

SHA256
ac2e180091ea662d6ed0e748cdf86a5876489dd19ed01c47bf3677861677ba64

SHA512
43792f64c83700a0cd692e686c13473ca0992566ac31e00ff310f2d7d7c868c63bdef4a274a636280209020dbbfcff5f067555cc911467a149eeeb0cc3e1f3d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c33e06673075c6502683e47d662652ff

SHA1
5046d4bf4a5407ea93384fc6ea9d7aaee988f656

SHA256
3caad6a39c23603f909160e88a0468be676337a53482ef83eef5026ea3578a5e

SHA512
db1682f01e325919c33c3b6c3871977fbf69b697da51147e1c469a77ce8412ed60155be2ef3735da49068fcf8f0b7f066346c5f3a63bf8b8b75b5e7c990b5a70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e431b040b0cc71b2cba0fbd23e5523f7

SHA1
a5e784b00d47fb2375607b88d9f1ab904fec9308

SHA256
fa999512aa8f7d20a1cd4dc788e4d92c2c0e9af0fb67997730d408263da7f359

SHA512
30abe4224f0a5a600396e5d80751cbca618f8e0694fbba748ec09dc47906b070ea2370a48ec6ec37d0ce9623f6793cc15ccf70431ece7093924f74373065c016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
a004e5692c9dd6c623bc6b38d69a8b82

SHA1
0539555a079ef132cefebc382962d6b7ae08c5a0

SHA256
74a5356e261f36918d210768cc94597bc9c21c15e7fb6356272b4dabeede197f

SHA512
ce02890a230171ae0c68c40e5649174302c237d2ba9818c9ce5430f2dedbdba601586db2a493e5bdfc22591d45ecc5530c79b27e7e29b3c43aba7c340bfa3d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
52af7b62087d45e85d5cc1ee64537289

SHA1
a756775637e1ee061e436c5c9901e2043546e06c

SHA256
5c71094ff981b861830230679d6c7b20e66f44a24d9666db4f3810817f8726ef

SHA512
b51ec94c0a0d7d7071d36b72c664fd0b98e9495a9d70244535f78739640c7e127647c7668cc14a5cc1cb4c983212b357c9399843549373eadd6c8a6b54263268

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bf51e048b7143e028fbbf353fab481bb

SHA1
c1ed70e72095316b387197c861d06e738426e52f

SHA256
54f190fc209663cc9ada4cd351d2ec8afd7ff9d5da43633432690df2bec92faa

SHA512
cc87793f8d7fa3c01ae371da3b32efaff62af0a901f937698665970353175f38ee445e482b346bf8093ca7b6cd84b05046d584ed82f287610edcc240aa5e3406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
062e3f92bb661e850c234abdb49bc322

SHA1
cd357336efd47e1309a1f8b43daae6e52eb8d390

SHA256
09067e66ae5c783e4309cd8464158f0d1c12eaa351b90b029f23fb3cbab26d9e

SHA512
9f2cf4c990ae247c7b938344682c81cd039085fa38570a2d3d680a7305cbab111fe308ddd4a06c07e2ef02a76c10bc48e8b3af99c502f599b0af6e5c16c65365

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5818f2.TMP

Filesize
48B

MD5
44ee51df865e097ae6d3a78bf2f737b0

SHA1
059d7403109456f4c8cdfff0c0e5782fd2d16c21

SHA256
2c567ca739b4038c6c5c4d9c3e2c81391eee977e30e19c5334af2c25402f6695

SHA512
ea4fad0e65f254abe9f7221d8a7d5b029f7e7ade18e6224b32ca89943a12c75311a16f9c1b45f775b7461d4b15183f7ab94e4a4097ba1ddab6b31bfe9e6e08c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
9a142ec83aa7e4a4b0e9529b71f9f858

SHA1
cebf60f5ab46b92452cb91072f045e9acd4efde6

SHA256
01ae21543fdd98c9e6cbbbdb15bece5807cf17c9417fcdd9e53e0d186e35f85d

SHA512
f7c0110733ecb6b555368d0f6e54ccb9852549bc844165e738184bb19b97eda994138cf15eb256f6ffe7da2c41440811ff010d024dd2a7513a972308e44fdd30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
d6b972038704c5fb359224fa7fbd1c65

SHA1
62f3271258b69195336a029cd3dd508fcb37dab7

SHA256
66a8d6352f712b19469940b3b04fb8ed3f0c2886bf9ea27476fa79de933d0b57

SHA512
d6708b5499d3d2c72c1995db298b1877617b8b36598e181edfd827bef6f08ca5c0c392d7c1ec8b46247c76b36227fbf6e96cf290fb5db7811d58579ef0ee1989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
563fb482a58e3fadb366761cf644acad

SHA1
3ed22b474128893142f4f5a95566bb5046d0e501

SHA256
2f5a2a0470f9455912e0a41dc5849e9884a548e4107ab1861456388b72001ce2

SHA512
ce92b8fe1d4af8e3d2d16618c1b0f50bb229ddfb1bd02c32c8e85984208ba06c57c81f3d939301682be1c3c273e3d7a89554f6a1d5df7e0d7aaf9ca325668832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
519348175b544b6aad369e2d04554a8b

SHA1
5e66fc87e31c1b3532601eaf384080bdb17f22f4

SHA256
26a1bd547814e9c97d8f1cd52ceac962ca7df0aface28ceb615b8b1e67f57a83

SHA512
a45e0f6c8631169f8dae08f4c2d5c77ce134fd48520b5f7cf8cdeaedbadfe5ac98e032c5ecf8e088594a15f82f5f33d695311f56f59db6f9aa7c7835e1f16f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\79cad3d3-f348-4714-9cdb-ed75ae3c18aa.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7ed4a5f7e00cf6e5d822b27b55757976

SHA1
76b0065549de1dfe98d3c16525816de63ecdade9

SHA256
8d0b8dba29390aaa45afe360873f73a4a1bea1d354ad4ae228963c7589e671f3

SHA512
938d75d60ecbc3f2e3899db0c21ea44e40b9487fd5e5cf35014875e9cb54daa695ecfc3cf785ded0460d7adea17e3d881695d0fbe5da17b37d65fa1843e5ba71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5aceea.TMP

Filesize
3KB

MD5
f87a7bffce9729726cba1e3546a7fc7b

SHA1
d07e6befbbf93f6537503bc76ea0ffff73e74abc

SHA256
cb5bcc0149bdf68dab265440d24a90b5bc0048b1a8652bfdf6e61edd85d6f037

SHA512
236b61fe4c49170eea5f83919146750af09d5998dd03c7233f01d435819541b7c5b9acee1ca26eef41a4e03647aa9bb4223329abd6fe4d021dc439e0b5bf86d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5b8e58069059bbb6cace477bd7aa4d84

SHA1
29d41ec00759374334b844dec788677e68f3761e

SHA256
dccabd14138a64f40ff009067c1c7df1153121d018263b919f8de7080f532ce6

SHA512
5e888ae71726859b3c8510775dcfe8677ef9189767c5d5e2ea9d908c7eaa9a4892890f63f5fd77904e0a2a464ad719ebe53fbeab06b3f761b631cdf9f13a226d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
dd4ab21cce97ac9a344e021354065511

SHA1
9019b013893739054defd28cb7fd2d1099fd19c7

SHA256
0efdeee11b4c695a64cae21a7cc9a5ffec147c5a7464c5acf30f869911775bba

SHA512
84cecdb2c0ac4f1bbd7afcf7c607c2351422905648a889fd7716f54737f3ca7eaddf70ab69b54a7930357dcd9fcb0ffad629c49adaac3ca0b209bbfec1bced7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
12db87a150df726d00d739e5b6434ae9

SHA1
a3e54915ffd3b568dd8b251685774892c8fb9a2a

SHA256
26a5dc972e69ee1683722ca1e82ca3f4f82539f2159a74c558cbc05152950c96

SHA512
0c655f5601be890a8bd13dbceca3b62cb56cb0a15f126fcb23c2feecc55321c9eb78d0bdd7faca122da993489acfb29e2ff3d88c47c5939d6384d0e6cc4365a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
566ac8cd88836027b0d5e778710fb9a7

SHA1
6eb03d300b631523a3a84074d80777d25ed57d34

SHA256
7781b28dc12465b8e610c79388ee0f6fedddc62f49c941fbc8639ead072ade07

SHA512
975d58b880ee463e309ee5303002ac7883ae38af9de5cfdc71df3d010c51029049f31946d8e78f7f18896cda09ab01be60533ecb963f8b2f66cb83df4ea37992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
11af82d662aa8551c5d1e445f5a82b05

SHA1
2e097151a4668ed6846b5430cca4d9add7f361b2

SHA256
438edfc63682270d8dece3763331456066898959df6072e9044f9b4c35b572e0

SHA512
8ccca9818056eb9c5b7a91bcc63fe54edf6e35733bae9d9e8e85d3d7617b8330f6eae6b0e818f7d44b26f3e566b1cb3341560a302dc9349a2cf21812ae03c73e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
00450322c1e7291550a250aafab1c6a1

SHA1
c89b621dac6ca5038a75069a5732653765b771f9

SHA256
ecc7833bb028af5aaabc16b54bcb9e638cd5b54ae4c8efd6bc28ec0b21231bf1

SHA512
3bc086531dbb2088597b2715c52121dd232761b35f78a3cbfb368d2e4935a912c476151995be8ac8bf06b0ece9877cff1997f5e536f4118dffc76e0ff55d5411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
2951a3c2409532d8c29792df9052f35e

SHA1
d72db3212d4c9b3eae8fc95478b356e638d0971d

SHA256
633734da894170ef5ae7715443c1a3834e275b68db41deb57e8835482757717d

SHA512
306bbefb1a908d74b24547c330d5e8fd0b9254daf20e4c814d43807b0664c0e4a93a3758b06b5a131c49caaaaacaacbf7d0598e10e79b4c3c09b639c46bac9a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
5c211b61328de9358be77aa191738fcc

SHA1
55b2349d35a4bd0c689e7c0d93d61f0f5d9bcc88

SHA256
e57720b207584d42f2a17bf0fc2d49d3d052af199bafa6b4a5c34a468420a202

SHA512
625c7d972eace1a990ce61d350dde92520acc78148b829c2f53936adfcfcd37faa5ce7cd160d44ce76b0af8d4a751f2de3aec3b5f3c03cf6a8f3623b8a72884a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
0a281870b003470fdd721c7ac636da12

SHA1
e2bff419365e984766bfb87e28c4f9770dba4e77

SHA256
70a1849690879e4855d763d0093bc60b47f3d56f4bde7fd172f2164702402d31

SHA512
50796fddf5ba6079731074b9ad54e0381f44282d5bb5b82e5586e6253cb170310fbfbf0df83b45df4b7cbdd18a5a2c31e4a56b5f690e898875977c549de30bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
f990b618fc1d841eb762fbb310f3058a

SHA1
bb3be052d370a9c14b73edcf591bc813a8669eaf

SHA256
de75d47d2d8b392063c4375525fafb97aecdaaab91dbab1e16b8fd084247d63f

SHA512
8fdec226ac584e3c64357ba2b463184ee4b858b12a6786e627ed54ff9984774f62f78154fcaa4ed8775c7ac5b0d2742df3ab774c14789eb76e6daa9ad24498d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
94798e457c8ec99ec232f96937e314a1

SHA1
b5fd5685744c03f7ff83a0493f170744adbf519a

SHA256
3b8d292bcaa8e260a52fbd99ff095f66fb154e45b7aaedc9ab1cdf644e20355e

SHA512
a6ac7fcf0df8cec73db1a12db9bb9485e90671ee53ab731c3f030f8849cfed4186d001dcb34a5f652f5170a3706f3f83779bb5e55f9d146593f77de8f23df2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
b245fa175c26f8faecd65bfb2cdd671a

SHA1
ace36c9a7bcb63aa49f36347c0a04afa55019610

SHA256
c67c60eae1bf93085f7b60b3a6363adc58d77474c05d69eecc6d7aa1e9cbe1d2

SHA512
ed60c91d2067e541cd399eac902132cde4c54be1de8f6017e24359f77f96a5a683092ff7b5296f48f4366db5a57475e418be239d91e29155a81a255b59a06939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
39db5c5fa79b00899543c049702f7436

SHA1
7d2dfe33c2414e6725b6885b38b5fa00ad3645fc

SHA256
e51a4ac3fa2ce709e8a0d706668157676f5581f5793b239562d6977b3318319c

SHA512
42fd719f138315581432865f9f21feb4a5104162b0a376566602d193d544405778b9935422403c9201e4e52f3399ed98c84f61a7ead0c7270e3512cf8f1cb064

Download Submit
C:\Users\Admin\AppData\Local\Temp\277e2b60-bd8a-4805-bc32-7f3537911458.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kssy5zy.3cf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
130KB

MD5
0cb589dda71f16ed3e788985705d654d

SHA1
d7544de2a75a14e2677f89142e684a90019aad77

SHA256
0edf9cc62c66f91eef4ff01848f9324999df945cc1d1d41c3fd6dfe075f6e49a

SHA512
e4f2649071432f46f3e12491c36d906cfd5aed506cf9cba3bfcb45f826d0afdd207f99901491adea6128bde223439aaee2b5e63c22ac6ed9a15eb018a9e01872

Download Submit
memory/3360-1414-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/3360-1430-0x0000000036B10000-0x0000000036B20000-memory.dmp

Filesize
64KB

Download
memory/3360-1546-0x000000006FEE0000-0x000000006FF5E000-memory.dmp

Filesize
504KB

Download
memory/3360-1548-0x000000006FE00000-0x000000006FE59000-memory.dmp

Filesize
356KB

Download
memory/3360-1547-0x000000006FE60000-0x000000006FEDA000-memory.dmp

Filesize
488KB

Download
memory/3360-1549-0x000000006FF60000-0x0000000070506000-memory.dmp

Filesize
5.6MB

Download
memory/3360-1550-0x0000000070590000-0x0000000071F8B000-memory.dmp

Filesize
26.0MB

Download
memory/4556-1323-0x000000006E8C0000-0x000000006E90C000-memory.dmp

Filesize
304KB

Download
memory/4828-1303-0x000000006E8C0000-0x000000006E90C000-memory.dmp

Filesize
304KB

Download
memory/4828-1298-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/5588-1284-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/5588-1271-0x0000000006760000-0x0000000006792000-memory.dmp

Filesize
200KB

Download
memory/5588-1288-0x0000000007690000-0x00000000076A1000-memory.dmp

Filesize
68KB

Download
memory/5588-1287-0x0000000007710000-0x00000000077A6000-memory.dmp

Filesize
600KB

Download
memory/5588-1286-0x0000000007500000-0x000000000750A000-memory.dmp

Filesize
40KB

Download
memory/5588-1290-0x00000000077B0000-0x00000000077CA000-memory.dmp

Filesize
104KB

Download
memory/5588-1285-0x0000000007490000-0x00000000074AA000-memory.dmp

Filesize
104KB

Download
memory/5588-1283-0x0000000007160000-0x0000000007203000-memory.dmp

Filesize
652KB

Download
memory/5588-1282-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/5588-1289-0x00000000076E0000-0x00000000076EE000-memory.dmp

Filesize
56KB

Download
memory/5588-1272-0x000000006E8C0000-0x000000006E90C000-memory.dmp

Filesize
304KB

Download
memory/5588-1270-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/5588-1269-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/5588-1268-0x0000000005D50000-0x00000000060A4000-memory.dmp

Filesize
3.3MB

Download
memory/5588-1258-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/5588-1257-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/5588-1256-0x00000000051B0000-0x00000000051D2000-memory.dmp

Filesize
136KB

Download
memory/5588-1255-0x00000000054C0000-0x0000000005AE8000-memory.dmp

Filesize
6.2MB

Download
memory/5588-1254-0x0000000002870000-0x00000000028A6000-memory.dmp

Filesize
216KB

Download