guerrilla | 500cd8d0e8d7eb3cf7da63dd93978bf36a07fdc6b5a844de30cf84ccb38eedc4

Analysis

max time kernel
115s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Не подтверждено 709223.exe
Size

2.1MB
MD5

2b259cd02570e0d7103c70fe9a9e4d17
SHA1

035fe918c59274c1fc662e7d88d0d92d1150fa19
SHA256

500cd8d0e8d7eb3cf7da63dd93978bf36a07fdc6b5a844de30cf84ccb38eedc4
SHA512

2547a8b631ca07270668741612a8a0d3935008a98ab538f6a14fb1cf3e8d2d82ae7bbe9fe22a495b32ee16b038aaa268b2750ed42705fbf6d080249279cdcb27
SSDEEP

24576:Ezvv2Jddh0hXxwQNBH5ffUX5zAEefc5Urz5Eo7zrrdXbETyLAyNBN/8LcpmZQ4J/:22e1iify35cdrrFJAWb/8amDe8hSSw0r

Score

10^/10

guerrilla discovery execution exploit infostealer persistence privilege_escalation rat trojan

Malware Config

Signatures

Guerrilla
Guerrilla is an Android malware used by the Lemon Group threat actor.
trojan infostealer rat guerrilla
Guerrilla family
guerrilla

Guerrilla payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002427b-292.dat	family_guerrilla

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLREMOVESIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\FuncName = "FormatVerisignExtension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
4012	icacls.exe
728	takeown.exe
1276	icacls.exe
4944	takeown.exe
4084	icacls.exe
4396	takeown.exe
4004	icacls.exe
4564	takeown.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4012	icacls.exe
728	takeown.exe
1276	icacls.exe
4944	takeown.exe
4084	icacls.exe
4396	takeown.exe
4004	icacls.exe
4564	takeown.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
47	2280	Не подтверждено 709223.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Не подтверждено 709223.exe
File opened (read-only)	\??\F:	LDPlayer.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libOpenglRender.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_CM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Uninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuthSimple.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\load.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2_utils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-math-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDDU.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe

Executes dropped EXE 3 IoCs

pid	Process
1068	LDPlayer.exe
5104	dnrepairer.exe
4504	Ld9BoxSVC.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3616	sc.exe
3284	sc.exe
3424	sc.exe
1276	sc.exe

Loads dropped DLL 49 IoCs

pid	Process
5104	dnrepairer.exe
5104	dnrepairer.exe
5104	dnrepairer.exe
5104	dnrepairer.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4504	Ld9BoxSVC.exe
4820	regsvr32.exe
4820	regsvr32.exe
4820	regsvr32.exe
4820	regsvr32.exe
4820	regsvr32.exe
4820	regsvr32.exe
4820	regsvr32.exe
4820	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
756	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe
1424	regsvr32.exe
2288	regsvr32.exe
2288	regsvr32.exe
2288	regsvr32.exe
2288	regsvr32.exe
2288	regsvr32.exe
2288	regsvr32.exe
2288	regsvr32.exe
2288	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Не подтверждено 709223.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4568	systeminfo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FEBE-4049-B476-1292A8E45B09}\ = "IGraphicsAdapter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7E67-4144-BF34-41C38E8B4CC7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\ = "INetworkAdapter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9849-4F47-813E-24A75DC85615}\ = "IParallelPortChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\ = "IExtraDataChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC}\ = "INATNetworkPortForwardEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\ = "IHostNetworkInterface"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-808E-11E9-B773-133D9330F849}\ = "IGuestMonitorInfoChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4521-44CC-DF95-186E4D057C83}\NumMethods\ = "4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-32E7-4F6C-85EE-422304C71B90}\ = "IEventListener"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\NumMethods\ = "34"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-762E-4120-871C-A2014234A607}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\ = "IMediumConfigChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\ = "IGuestScreenInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4737-457B-99FC-BC52C851A44F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\ = "IGuestPropertyChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ = "IHostUSBDevice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00C2-4484-0077-C057003D9C90}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2354-4267-883F-2F417D216519}\NumMethods\ = "18"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\ = "ICloudNetwork"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ = "IGuestFileIOEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\ = "IGuestFileReadEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A06-81FC-A916-78B2DA1FA0E5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ = "IGuestProcessIOEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}\ = "IGuestUserStateChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}\NumMethods\ = "26"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2280	Не подтверждено 709223.exe
2280	Не подтверждено 709223.exe
2280	Не подтверждено 709223.exe
2280	Не подтверждено 709223.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
1068	LDPlayer.exe
5104	dnrepairer.exe
5104	dnrepairer.exe
2044	powershell.exe
2044	powershell.exe
2748	powershell.exe
2748	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe
Token: SeDebugPrivilege	1068	LDPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1068	2280	Не подтверждено 709223.exe	102
PID 2280 wrote to memory of 1068	2280	Не подтверждено 709223.exe	102
PID 2280 wrote to memory of 1068	2280	Не подтверждено 709223.exe	102
PID 1068 wrote to memory of 5104	1068	LDPlayer.exe	108
PID 1068 wrote to memory of 5104	1068	LDPlayer.exe	108
PID 1068 wrote to memory of 5104	1068	LDPlayer.exe	108
PID 5104 wrote to memory of 2776	5104	dnrepairer.exe	109
PID 5104 wrote to memory of 2776	5104	dnrepairer.exe	109
PID 5104 wrote to memory of 2776	5104	dnrepairer.exe	109
PID 2776 wrote to memory of 3644	2776	net.exe	111
PID 2776 wrote to memory of 3644	2776	net.exe	111
PID 2776 wrote to memory of 3644	2776	net.exe	111
PID 5104 wrote to memory of 3648	5104	dnrepairer.exe	112
PID 5104 wrote to memory of 3648	5104	dnrepairer.exe	112
PID 5104 wrote to memory of 3648	5104	dnrepairer.exe	112
PID 5104 wrote to memory of 1500	5104	dnrepairer.exe	113
PID 5104 wrote to memory of 1500	5104	dnrepairer.exe	113
PID 5104 wrote to memory of 1500	5104	dnrepairer.exe	113
PID 5104 wrote to memory of 4972	5104	dnrepairer.exe	114
PID 5104 wrote to memory of 4972	5104	dnrepairer.exe	114
PID 5104 wrote to memory of 4972	5104	dnrepairer.exe	114
PID 5104 wrote to memory of 4108	5104	dnrepairer.exe	115
PID 5104 wrote to memory of 4108	5104	dnrepairer.exe	115
PID 5104 wrote to memory of 4108	5104	dnrepairer.exe	115
PID 5104 wrote to memory of 2572	5104	dnrepairer.exe	116
PID 5104 wrote to memory of 2572	5104	dnrepairer.exe	116
PID 5104 wrote to memory of 2572	5104	dnrepairer.exe	116
PID 5104 wrote to memory of 4816	5104	dnrepairer.exe	117
PID 5104 wrote to memory of 4816	5104	dnrepairer.exe	117
PID 5104 wrote to memory of 4816	5104	dnrepairer.exe	117
PID 5104 wrote to memory of 1136	5104	dnrepairer.exe	118
PID 5104 wrote to memory of 1136	5104	dnrepairer.exe	118
PID 5104 wrote to memory of 1136	5104	dnrepairer.exe	118
PID 5104 wrote to memory of 4396	5104	dnrepairer.exe	119
PID 5104 wrote to memory of 4396	5104	dnrepairer.exe	119
PID 5104 wrote to memory of 4396	5104	dnrepairer.exe	119
PID 5104 wrote to memory of 4004	5104	dnrepairer.exe	121
PID 5104 wrote to memory of 4004	5104	dnrepairer.exe	121
PID 5104 wrote to memory of 4004	5104	dnrepairer.exe	121
PID 5104 wrote to memory of 4564	5104	dnrepairer.exe	123
PID 5104 wrote to memory of 4564	5104	dnrepairer.exe	123
PID 5104 wrote to memory of 4564	5104	dnrepairer.exe	123
PID 5104 wrote to memory of 4012	5104	dnrepairer.exe	125
PID 5104 wrote to memory of 4012	5104	dnrepairer.exe	125
PID 5104 wrote to memory of 4012	5104	dnrepairer.exe	125
PID 5104 wrote to memory of 728	5104	dnrepairer.exe	127
PID 5104 wrote to memory of 728	5104	dnrepairer.exe	127
PID 5104 wrote to memory of 728	5104	dnrepairer.exe	127
PID 5104 wrote to memory of 1276	5104	dnrepairer.exe	136
PID 5104 wrote to memory of 1276	5104	dnrepairer.exe	136
PID 5104 wrote to memory of 1276	5104	dnrepairer.exe	136
PID 5104 wrote to memory of 4504	5104	dnrepairer.exe	131
PID 5104 wrote to memory of 4504	5104	dnrepairer.exe	131
PID 5104 wrote to memory of 4820	5104	dnrepairer.exe	132
PID 5104 wrote to memory of 4820	5104	dnrepairer.exe	132
PID 5104 wrote to memory of 756	5104	dnrepairer.exe	133
PID 5104 wrote to memory of 756	5104	dnrepairer.exe	133
PID 5104 wrote to memory of 756	5104	dnrepairer.exe	133
PID 5104 wrote to memory of 1424	5104	dnrepairer.exe	134
PID 5104 wrote to memory of 1424	5104	dnrepairer.exe	134
PID 5104 wrote to memory of 2288	5104	dnrepairer.exe	135
PID 5104 wrote to memory of 2288	5104	dnrepairer.exe	135
PID 5104 wrote to memory of 2288	5104	dnrepairer.exe	135
PID 5104 wrote to memory of 1276	5104	dnrepairer.exe	136

C:\Users\Admin\AppData\Local\Temp\Не подтверждено 709223.exe
"C:\Users\Admin\AppData\Local\Temp\Не подтверждено 709223.exe"
1⤵
- Downloads MZ/PE file
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid= -language=en -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=655418
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:3648
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:1500
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4972
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4108
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2572
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4816
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:1136
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4396
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4004
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4564
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4012
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\Users\Admin\.Ld9VirtualBox" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:728
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\Users\Admin\.Ld9VirtualBox" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1276
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4504
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:4820
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:756
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1424
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2288
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1276
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3616
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3284
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
    - - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        5⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:4568
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2044
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      PID:1936
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4944
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
1ea48ba4040743ffc511b0cc923a178b

SHA1
72b76002087d62c9580ff2a1655b41095826acc4

SHA256
1e2e3ca8d4bfe01a68586e3568b8964eba8bf92a6bc19b7c245865ad9ba7280e

SHA512
20bc651739a267514cf2b7d158c2d0a56ac0251fe8c5f79eed7d88f6628d92d3bd3b697a6c958fb1f46f853c6defa204a6557996ad9d32a741e787cb8188026d

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
10b376bf925c50a88096b601abef4d80

SHA1
24a3d1ecb2e0087b2140c6674453fcf9d82cf150

SHA256
13a241b6d1144cbe2e11c9d46ebd26a649f574db8c4bf1a98a92fbe824038912

SHA512
fb7dc9db718dd94c7d275388aa376ca219b8c865d6a05b6392d5acc964c67980458ef2ad7746ac8589e01cb95e4830c7ca0301c15300de1c6c02d2a8bf52bde1

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
ba84bf6204db711f866adb2841d5c91c

SHA1
807a03b5ddb07b9e8e30c8261e3ba5514cc537e2

SHA256
dad6ee5a8b12b9396b56d827fe91fc8d3f9468428e32902390c0ddef596f2f26

SHA512
ad18d5a353add4e7ffc8868c9ce62ebea947531684e4a054dce116a97a8397dfce39dfc7744cf416fc1259035824645a8ae71b4eed9f8fd5d534c29995c0578a

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
47.7MB

MD5
20246c929b66759a1a3796dd5238897d

SHA1
3475ce0cb9963feced14a5a90c27f9cdad3edf86

SHA256
43c084057e7c19e69e164941169268dea10d9f8bb7e9135b9b51c54ad1276a16

SHA512
002863acef7b80d596bba64585c557b91a32635d3d3d67bf62d7804263079eff301b74b0c7e70c93251c41440acc67d57848efd99a3977d41625174efe382942

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
49.7MB

MD5
11c97f3cac3db775c42f36aebef4a3d9

SHA1
71c3e5e122936731d70250f68424db07fa2cfbdd

SHA256
41134b6947e2643beb11039ab285f81b52737919f50b3eedf2a228a2684893d6

SHA512
1fb349dd436bef5d2d6fe08f2f5acb6961420942f02a6b941ee2eba3f918de23a9f4f4b17ddc5056805942c7cb5ed013ec8f3e69b06b9dce7d9d553e0d8b4556

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
843.5MB

MD5
1a82c73b3f57a1827c895ed147c6ae20

SHA1
8dd1398555f8a47a7a504313df4fad7166ee14ec

SHA256
994c8993cc5bd351f73155b033f295d764b87afa069d632d6868e21c26b5f000

SHA512
ec81401e9b4b4d8762c03cc3d8ec4472b2edd8dbc5ffdc03c2ddcf43110060ffa2f02f235a86c9e02d781f0cc5cc4ffde4fbced711e48e7792f160aac01c6c83

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\EGL.dll

Filesize
532KB

MD5
6e7fbe564419ee8d3da070a763781334

SHA1
ba925047bd904b87b363ad72f9866e7657642410

SHA256
72436a0b09332033d6f5e4688f49e6497ac98fec9bb79c34ce9c551bbb21807e

SHA512
5416efc6d831560593e0ff43bcaec4d42f16a88899f737bd938ac180a68cd6e4cbe1282bf3454db16394e0e089f48c86b131c2efee2c876712434d904aa4f3e2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll

Filesize
18KB

MD5
cde2424d99db56dd0d1eaf34811738c1

SHA1
cc7889c43729b93a4e193b2fd6ae5f22b6ad6b8f

SHA256
4ceaf28cadfd0929b44e9c686b93432a7151504c8ffe2a6afe516f9b16538131

SHA512
d5b8ef2de3fefde29b2c9cccb330c3076ba71d6ae29e1b34617057d8a832d37eae8e2f238e2abb6eb226453c00a835c669a7c03a00cd1698d02272d8eb6998e2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
17KB

MD5
acf4321ac8c8ff4d0442c799d621f8d9

SHA1
b12f87e6afc48697f1ce8b587715361e89b79cae

SHA256
69b84f7318798a91143e3d273ae9c0bedaabba930e3702447d493e2b8dd70725

SHA512
7878a7cd62f9d259a6bab05e13e9ac5b16437c0d8bda46e864f205465ae19531e5655d7547ae1594a53a05ddeb8b0c6058a73caeb21cd7c81fe5a424303d3bde

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll

Filesize
17KB

MD5
3c47c25b8141d20b2b4d576000000a61

SHA1
04543f9cdd847ff66389c9fd1e12b444dae6383a

SHA256
290030199e8b47d6bcf466f9fc81fee7e6aebc2c16a3f26dd77019f795658956

SHA512
c599ef06045583b28faac051909c28f5f2fa56c34d47f3bd49efc101a1cdcb571a298eb100d0b381e3ebb1ba19b2fb4dd5127f259eb8ab183753722ecbe0f10a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
18KB

MD5
e05ce0232e64328c62c9da37698566bf

SHA1
50c25e6ecec2cd17ecf3117bb9a646ba107d2b84

SHA256
573aed3f3eb436f9b7c24d51be3be2105deb8149ebda9b964660930c957b2410

SHA512
8093bd5d1ad96d759a5d9183fca27d7cb756e0884776673f132d20119e602ea33f8121893b9b90965b0eb5710e244faf4e2ad738479998fc2c5dc37f83fe18cb

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll

Filesize
21KB

MD5
a26c7ffcf18b62904dab7786de638ea6

SHA1
b28489bc38ee2f522ee83dcf49faeb96f39a77e3

SHA256
74075b7af84378cee0d035c020b320ee52a120b21f71a4972093c9e23d534830

SHA512
768c8d7818acacf83d8bd020ab239408673f6cf9e0e8f1be1dab2dd58c5df4e45b970baf7d8d09887280be0788790eacd6126274deaca6b1c4b7bad3e335b34f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
6a55a7e284b51b086b63cc6f2061ce8b

SHA1
46a48a1ccf5262038b71ed4be09cf625009d078d

SHA256
d9973270a952b4ce615104520051e847b26e4b1cc330a5a95ba1ae128f0dfdeb

SHA512
6a6ba643bf15581cd579e383bac351ccae714d50453cff52cac7dcf5bd472a170e7d33b0509c7bd50c5e76e8a0304fa88dcad63a9e2cd0694a5c56f4a21ae363

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
6e38a6bed88e1c27155e4dc428188ef0

SHA1
8b47a1960ed157f7beeb80fa4a16a723279c4efa

SHA256
144d3a28e43e47fc1cce956255cc80467d4a6fbbb8f612ec6d85f62de030a924

SHA512
3b801875bc5a483eea6d6cc43015e759ee1f66c12585f698cb92368455f25b5309617c8beae39945cadb57009a9c9a9ce21c18dec28e86097c67d8fc5f9febab

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll

Filesize
18KB

MD5
9304209688e2a18d0b26997bc78fda7a

SHA1
5d4332cf1c5123418c6419d0291486c3939e8785

SHA256
d6bc1509fd2d4ea07e661f2f59395b4d71907d16f59942443a5d460df343dbf4

SHA512
5952e192b6150055bc88e672fb0254bc962abd27afb5c30cd0f52ede98ad84eba9966d721b3b6602116ff40ad5c489a24eac35dde77397db88aa46ad2bd18960

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll

Filesize
18KB

MD5
f42a84d78a5a15ff1a4dbac591e95783

SHA1
1cd5b5e68fd729bdd340463b53728634d342b0cd

SHA256
f60267cab87dfc1accf912c212186112aba38742f621549d6bc8d67e217e7234

SHA512
89ba6571df642dbac769c72914b30f2d27107f023a9e1cbb0c6f5412b6a69d414cd99f29de07d06592c7ab9cdfc558f3b65b7050921bd442c01417bac0a850f0

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
18KB

MD5
9f286e57e5b1c1a347adf9eef059ad5d

SHA1
631aa1aa364234acc5ad20b27f926e9cb9ee4276

SHA256
f93ddef4ac14ef778790f3f00057ab6cafc0c99dff52cc24f523d63917719970

SHA512
6df20707ccda0cf9916b7c00b11a4a82b47a0f6e87c6eba0f38e440e143b4aa6e5b48f67d09a9eeef75da2aadfbb5abc7e62362f50d674bb8a532e290699a197

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
18KB

MD5
beaae8294db31afa04fa60795c6e02ae

SHA1
8a32ebd843e461864747fe0aebf4bbf83c4ec093

SHA256
f8e8d85035bcb478ce2ab47a6476a8c756a7c8fa05bad66b9a03ece6a2ced141

SHA512
dd1a75943401ae5d20c9ee023ba77000db9433a643ec2f102cd3a72faf274deb3611954557c81120d81ff447f86b7309cec1c9005ab37ed7bb48d6e6c239b135

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
2ac1289e4dbab076b332869bef26d3ce

SHA1
60570ddd06b671e26c6a814b9c08cdfa0ef38aba

SHA256
6475f20f46814d28845c2fa73e9c283a8504483fa16d911325588c778cf76c26

SHA512
e226fb4739d66e2c4624a9e01ec00dbe3b37dc96995eec35660208d76a9e6758a2a29be1b7986d14074df23ea0fc39d2ce121b7bd32c553371c1b15ff3e2ef7a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll

Filesize
18KB

MD5
a2661a468bb87ee9cc5dee968fd3805c

SHA1
9b17fbd552e34888f1453f9113ff4c42efaf6d6a

SHA256
dc41da54e717aef60228ee11d10669c31d3ddd532eee9ecad944c09b71b762dd

SHA512
b5c01cb3c991fcf8945c764b853f8a32fce324f01562107e086dd998a1b31f9285a0d645c96052b94c955f3626691c3ca2cc9e04d8594a0a7c042530549f1aa3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
18KB

MD5
acbfc011d5842ba60c372ba3d222ab70

SHA1
16b8014060a04bb03215f6ce4c118bae48653bd5

SHA256
b0ae48eb5ff51fa038e1ed23c7c48d266c20c2af3f9907ee6906bb0346df7f9e

SHA512
dce34d64e6674b67c7c6e7c34886c1ede2967e6af7cfe2addfe51fcf70780a33d7308e7ce81a80149034b8f910c045b3ea81f458d9227448fc4b339dc05a59d3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
19KB

MD5
19d14d348ac38737431a7ee2f82973e6

SHA1
11cd8f5dc5c08d133b9b006da5c84946f012cbb6

SHA256
1cd9cff9f7d24b22993a207cb81f15ce2792fa5f941e77e8280db00db6a273ae

SHA512
b3bf7426150bf3b933db4670db3b7d22530c7087efeeab0ddacfbb0bffc01aabdac68e535c7298b13a42530a1aab2340203874b5382581f59309ec9465f6a0cc

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
20KB

MD5
ea0e13feac13dc18c79eb682bef4676e

SHA1
b9db47624345c68cf07bd2677df537e0f975caf9

SHA256
2658242ccd090181ed944f682c435e5fb880f3b21d1811d43b93478901d701b0

SHA512
540b9f8b18d42e551f13de3d4a6f0f821ea23e4c85a6346b84e8b74d02cfb5413355d126913699208faefd67680c52cdf4e6ecd66fc0cb4753ee603fe9763df7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
1af2a91dc0a4e48bab0ca123073adf30

SHA1
cf6625fd31b17d46dd31b16372840c74026d0ba2

SHA256
ae574c9b8a2467c3ee0ac3e862255e93a02627bce146ad7b720b99905dc224fc

SHA512
45103c51fc655f608e687c8e9db24c956d12c63b0497ced3817aee3d9f5fadf0741064ccb49ae71fbf377228af315c961fa414221731ea4892425ed4939bbf51

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll

Filesize
17KB

MD5
9b9d1949b75df171884f6f8caba7ff59

SHA1
411adf413f53c56488d5cf68e9b4b692889f3c4b

SHA256
cffb2007c31932b092cda3a0a39f1cfcc5766b6a1c05e5eaeabc53660cbbe786

SHA512
dd2110a2406e9cf70e26076ff4bc41f5478ece318ac48e8c7d8101e14c41284ddb2ea305560e1fa27d70925525553969fdcab243b31c0fb5ac460e1f00db2b7c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
18KB

MD5
c6e268c877a9be5b43877308b1231120

SHA1
949105c826dee6a32fe1288285e3e41cb7d04821

SHA256
eae3cd8747da3b435846901a1dbe0e430666d3d8d7ba6e54307cff5d6ee0592f

SHA512
776fe5cc3e5eb7ae9c20e15c6c5bce20fb2a0e9e81d260a08dc41860b3967c7abdc3142786421f349ebe9c43a12e261a34e3e176535b8e04545395279c439331

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll

Filesize
18KB

MD5
5122b8aa14a25c8567d9d0335036446f

SHA1
81961f2c8a331136f8156930779964a71e0badc4

SHA256
7b5393e2cb79f0396d5d97510e8f0955a2586aacaf60eb8de3676006cb81dc5c

SHA512
758ff98f838f3ca03ef6a9e5a0e39732afed73f4d15dd7d7a1a842c36ad00a859541b4e977af513ddcf970ed994cc27b11654ddc0f15fffd83bdbeff43084cc9

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll

Filesize
20KB

MD5
e1b30d56617709cf7dff5f464d7566d9

SHA1
e29646b1c90550cb86ed42782c764d41f2c70651

SHA256
5d1a854a0c5121e2e8866dad26545f7f8c2d2f1b15ed7f1ed0b72654a1fc299b

SHA512
e158389a4f71eb94a2e73706f0d52db91798104d990065029a3745dbc9a0459ed9ae96c78bd005043de9057bae66f35a174537c525385abc8e91dbbf579ba511

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
e4b64b2710725ec3332021bd8044d884

SHA1
2d7f8d87d0f395296ecdf277084d23cb9e0880e8

SHA256
9566b81b1c6db1727a4bb3a7a3de12247ff5297f34548593280ec31f2b2e2c65

SHA512
ae5570a2cd245588a3f80744c7b1af99533730ebf8926f51a2cc13004a6eb5ecb501aa8c2906e5fa5ddc5a92fb796d54af43b3e3ff97ca1cc3d898462bf7e9b2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
19KB

MD5
67fd470a60fe8fb3f9fbe32fa52871d0

SHA1
09aba019a0d0dae7415b6d9a39e1dc67d93f130b

SHA256
1f98f9e044d32e61445c5fab3c80c2f37ca6bab3d5b22cd5611fb5df73db04a8

SHA512
f8c3f1e3bee196487aec704f128240acb57fb392db918a97176793b07726f017177abbb5a6c68822fc59ce06f04d489a78284a865efdc2de518f34ecfb0cc1e6

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
f53ed8a0c18157b9e37500621dfab9ee

SHA1
b8a3131150cfd46052353309843c802d9f43df03

SHA256
5909e928d791f67a13e3130033cb0e2178f5167a644c3ab5336322d38356db47

SHA512
2cc98322e67ff49aacaba0b23fb559a5c4c58182e4f3965673a766d3198a26fcd7c7c340779d9fb0fc3f2649c16427ff312d87caa1feadf23dabc6675169416a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll

Filesize
18KB

MD5
2b9f551cddd662c618432a75c546b296

SHA1
1ddd65fcc8bb401c734ebc2014d057328f771744

SHA256
070afbdbe5b3f3b76b6b7ea2dbb9f8deff81c6ec8706eef9080671543e2ae28b

SHA512
54df6e692ac630d969a697c9e6f379c4826ca71b7e8eaefdf502405b1333a6b483256aeba609a4a1c61e73f72d2958aaf3eb31538cc5e7a91101d7d09e3ed9dc

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll

Filesize
19KB

MD5
7d943f85ff8d1515a02d202ae79453d3

SHA1
94def1f7368172ac50b665e74b89e8f7aae2857b

SHA256
1d4464fe335470452e58d613028dde2f105edf969d411e90ba7ca9e343c3fc89

SHA512
e111dbef97c6c6cb3b5c2d183294620792c48a2cb16d9d91c12cede757a1c0c53d707f4294542bef47eae784893bf63fe0f0229bed4b2d0a961c8d1cc1cf43cb

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll

Filesize
22KB

MD5
278857b86f667c47cbcce94f5ec73ca8

SHA1
a0f5b7e7c67f3c6b8f285d39d08b740e49445755

SHA256
91c5966932287078d0e616d8e0369347991f39765749bbffa1ed3a9df49776d9

SHA512
ebc02d1a2e223eb0b30a8e62089735faed83add4161094493f62561a09c13a426815e7f06c20c44477691109a8c3040dc68527023bfee6d9984c42d6a05208c9

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
6493b21fefae874655c62a56a156f3eb

SHA1
c65beb46f9f03d35867ff008026d3a56fa26fb65

SHA256
8d9d3e905d072c4465e4787dd5bd843d3a5dd5ac5ad9d7f232032b25facc82ab

SHA512
93cbe187f7fa86ac58191b5384a993135e3291873a76cc2cf81dd60c68ad7591386e4eb5ab53aaac2a6f48f7f778263b7fa0a4ea0863361910a9f1efee92b64b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
20KB

MD5
ae83311041ee793253ff10736317a09e

SHA1
c62d06cb6cbd9d997c42a6ad7f13c06f38725069

SHA256
8f9361d02f68392127fe264655eac4fef4a4a1bf63571f184ce26faa98670702

SHA512
0fabcb0370330460f8f525401f339535c08d768f075816989a16eff2256584cfa8fd6832df3ce3d9c2a5364b4ef58bfff53cc486e3b48d11b654f7174aa18458

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
12311308d7d65895b3920b3dd3e54b3b

SHA1
3faa74c6913f451d9c575761630b507af0c15ee3

SHA256
76dad3e04c9ff61b40ae1c9e039837cd1c077d59b6a008643e4fbf2dbdb564dc

SHA512
67fd047e760dbdadb06cc2c34b935fdabc629fa988484a9f5120cd59d6167d943b612df65626701022b5e73c5b1177a8d813e90c5990468f51a5a11932c008ed

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
3dafcf25a2ac1becf40acbec8fc7134b

SHA1
0729fdc617403622c2edd77fdb7dd49b530e2037

SHA256
ba1458f730ff90009483c763926d1c74383480e529541c0ef5d4de44e7a4f14c

SHA512
9dbb487489c8a6af8dbd6326fe4958f489552af268f2937495ada35bb8404cfaeaf54833d8bba2966e72cd0ba3284a5fd167baf4cd6d905870f5d1ed3e5ff6c0

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-math-l1-1-0.dll

Filesize
27KB

MD5
f32bd567d35d2e85504c39dede609e72

SHA1
b7a7145956466e45bbe6f7fe41e935a152c2c325

SHA256
5f2bb085217304006c81c55214c6093ec476e554e31808026e424da82f58aa0e

SHA512
55396f3e5821d3f3eb5988bd3362a0cddf036de4afa8cc1214813834b5a152fc3df787a8347a7aff3de6bf112e1d2a354790f593854a59f1f49393ddf967d085

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
56c02fabc2c64174009c905570c3a22d

SHA1
e52154112ad127ab01937453490091def4d21ad2

SHA256
0aa2cf2cc029c95fc053374071d7873edddc410ff8858720ee5c29bfee62dddc

SHA512
9f22f70b5de4078fcbfdbb186d6cf220561200092eb7ceaaad9d44a5281f84abfb1729f4e447dab3753225d5fc6c44d94363e3729e5765dd2213213c327c4c1b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-private-l1-1-0.dll

Filesize
69KB

MD5
4b27cf5cdb20aebf113df752019ffca3

SHA1
b02c6e45f704dac118f81c324122c189e3e61e17

SHA256
c1e206aa4c8014dcfdad15c16f50fbf4e3ce8e76e9406af923131ebc001dd5ac

SHA512
cd4df2478d719e159e2252e6784d24e4260c13d8f47774ac33a8e10b1fa96d38236bf2c3ebc060a5801fc19392cbe5c636befa898721bf114956c2be6476bbd1

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-process-l1-1-0.dll

Filesize
19KB

MD5
fa677cfb18ba1370d8bb98681c48cfbd

SHA1
cbccd561bf53c59254fb04ab136996b81cc80d3a

SHA256
36589e9738a9358065d5a72f4276505d6c2f78101508bede05bdcceea46a8cd8

SHA512
9312acd4955d4950d851910198d4ee622b75e11262e409c79391078d12d2d0db320723a1552048acc0e9deb30378e3cd27d4fabcf2077d429eedfb275cdb73e3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
595a997bd415c8ae0ef1e3c3b73e6091

SHA1
10f34bc2f474a43bfaac26f66ec8081106c12253

SHA256
11aca97acda31203aeee496c9f183b49db1c54d0efa48888a15ab4ea47ee080f

SHA512
944f6bc405c69d6bf6dc97652e9f296658bd3de078dda50ac680e56818c00dfee909b100fc2fa9c6a891c55dbc66dd62ac52819950732c83198dbb8c04f3c9b8

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
24KB

MD5
415d765aa267382a79e56e428c80b1e1

SHA1
1bf13460b8aaac1538bf45186a1624825bb8c355

SHA256
cf7bbe93ae75a1c46a38204a6acef71bf2f5e3cd34501825601900e07d3d7b15

SHA512
7236ef7b2937718409ef4eeda20318b1697e7c1c868d0df263f4be8673365d48ff6ffa2317bfd1881b6cb3dd1300410ad4f715b8e01ed321c4011aac88490d21

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
5bd5a9001cb0555c5b2b14e0cbc8d922

SHA1
4562d23fba312fe95cbc777fd7c2e37ca1e76ad9

SHA256
b516d1772b75714f039440cf5d070b87a187d2f67b7f891c94cf1c60330fbfa7

SHA512
a6271f28f069a00c2912f80552bd54bf0d8461886adff626b336d25943dd0ade19eb88c718602017a1986317af3eb5f94f8896e88b9367207e8b53225322cb84

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
f719ad4c04043f55a21e73805997b287

SHA1
0e88b1271b242f7933e78edcb05131612cea061e

SHA256
a4b0f75854949980d410c5da90c36ddb94be292431c89fd3e992f9d5f8ee9983

SHA512
752b9b4385162126729c3f09b3b75d7121c8dec00cce11f7cf1ecaffed3e79addcbcfe8bdd4e20e15b8494bfe2d24c3f2d11583860b1e03be021196bc83fc3bf

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
a405399d5b958a03e6054307a631553a

SHA1
dba43f0afd8c6e1f61cf0be7503c6f70b48b8240

SHA256
d675ee0c418c4cd7ff0c19c2d945331c8e6072a51abbca548e7d9d2f1bf288dd

SHA512
33c64766053058fa9fa4fe689f1ca5a345b8b70443995d71aa65b64c7bb38d4dc3a2b37ad06a4ce5ca1c927ed9ea4377443eaaecc69b0e758ff265e755194287

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\concrt140.dll

Filesize
310KB

MD5
67a3ad0fec3eb767e423e3d7a9134343

SHA1
42949506bc8451031425840df33f3acab5637b52

SHA256
01729ff33c2e3db1033fb86e899d62026dc1c03705269bb9636227f61934d9b3

SHA512
f3b13d38f44acf37c5002f08b684cb2955b778c8a703c8fca6e07eecaac45e1bf4bb036dda055114152390322351ef936492abbf6532d1a48fcfd29304b4db1b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\crashreport.dll

Filesize
51KB

MD5
8a2ef730063317fcecc510063c11c28e

SHA1
6992058fa89a2c6ed41ec02afeab0dc9c7d96a51

SHA256
f404f48b5d8223571b4697ababf7da60404ed5fec958bff698d7cffaa6a4fff9

SHA512
c88035598f187125139b93756e5f4324ed253494d63262c9a153a0f4a450a1aff9ccf594e7c82fe6245bac3c055b3c60d84eaa0f5a70d11ef974ad8752686771

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
636B

MD5
8ff88ece792ca541615c7971b86541fb

SHA1
c1b989360362a3f7e0b35c1b953a8ad7d25c5377

SHA256
ad3a1f5b6a9403a4f58a09c75a19a19b9ae530c139b22578cad15be05c9e77bb

SHA512
0f654ad06448e822d502321c277763190f38715df82a18655601960d281d587c9a1ea125f6d99da2454cf4cd0f120d4a91e1c56ed6cd8b7f05985484c490521b

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\772D055D5E4421B179898A4E6FBD9ACC

Filesize
471B

MD5
89a2afdc0f5c077aab6d478e75f6317c

SHA1
a8d10d251e8249c8f152b6f9ee82be95faa4b95e

SHA256
4e2d4edd78be8a3b3cf89fe989f92f5e3b95c2322b3e544794664af2feb1f1c7

SHA512
fe6c41ea45d57fb94133d738557fdb097fb601b5b0e4f89d99b88567159e7243b7404090cad7922b7e87c0e938ac0eb68876565edf929b8d75f9ea8aa330d783

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
0ac78bc0c6fd7f6b7e1af3889785b4a5

SHA1
b9f1854af784f1ff3bbc5864022195da782e4954

SHA256
accba146d2ba08b3196b34ae992782500cd6138db1f35090314266372bafc1c5

SHA512
7cfaa91fdf7ae9b03b9a62a8579fa1337100143f7108e8ca1680a9e9c4cb675b2504cc9f7e10896bf23b3fdd26252a2b0b3fe28bd38d003edc8eb130b7bb15cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\772D055D5E4421B179898A4E6FBD9ACC

Filesize
400B

MD5
f13b92b67f1fbfbf28d370dec27853b4

SHA1
75744571efa7e075f1d482954fdeaa4e471550de

SHA256
feaea8217d25fe635e9730e495b5886b7f0b2a9be6877538729192c14c2dc8d6

SHA512
294e9f35bd38a859f5ae2513b1d4247f0c9b8d48431697cb0958fc9a9503d84d3e121607c845705a9550a6513fae7813010bc7029db34469fda0b6f44e08e0e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
404B

MD5
91a9fa4301e57535d8e9daafc9bc192a

SHA1
7718b19d33e1306c1224ea0d0d80baa1e2bca896

SHA256
a873114534ef880b9381d577fc5fb4024a4b49f789e326cc730849ba91a88ee6

SHA512
e90c799874276ada708912e938ebc4a72d6a16dc923551f264f0504047988ee76036e9aadcb74d3a70283829a7d258057379520a35d74a308c2b66c559ec4f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdycw15g.yl2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1936-645-0x000000006F1E0000-0x000000006F22C000-memory.dmp

Filesize
304KB

Download
memory/2044-605-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/2044-577-0x00000000027F0000-0x0000000002826000-memory.dmp

Filesize
216KB

Download
memory/2044-610-0x0000000007690000-0x0000000007726000-memory.dmp

Filesize
600KB

Download
memory/2044-611-0x0000000007610000-0x0000000007621000-memory.dmp

Filesize
68KB

Download
memory/2044-613-0x0000000007730000-0x000000000774A000-memory.dmp

Filesize
104KB

Download
memory/2044-612-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/2044-579-0x0000000005320000-0x0000000005342000-memory.dmp

Filesize
136KB

Download
memory/2044-608-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/2044-607-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/2044-609-0x0000000007480000-0x000000000748A000-memory.dmp

Filesize
40KB

Download
memory/2044-606-0x00000000072F0000-0x0000000007393000-memory.dmp

Filesize
652KB

Download
memory/2044-594-0x00000000066A0000-0x00000000066D2000-memory.dmp

Filesize
200KB

Download
memory/2044-595-0x000000006F1E0000-0x000000006F22C000-memory.dmp

Filesize
304KB

Download
memory/2044-578-0x0000000005350000-0x0000000005978000-memory.dmp

Filesize
6.2MB

Download
memory/2044-593-0x0000000006120000-0x000000000616C000-memory.dmp

Filesize
304KB

Download
memory/2044-592-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/2044-591-0x0000000005AD0000-0x0000000005E24000-memory.dmp

Filesize
3.3MB

Download
memory/2044-581-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/2044-580-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/2748-625-0x000000006F1E0000-0x000000006F22C000-memory.dmp

Filesize
304KB

Download