Analysis
-
max time kernel
930s -
max time network
845s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 07:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.ldplayer.net/download/test/ldad/LDPlayer9.exe?n=LDPlayer9_ens_1001_ld.exe
Resource
win11-20240611-en
General
-
Target
https://cdn.ldplayer.net/download/test/ldad/LDPlayer9.exe?n=LDPlayer9_ens_1001_ld.exe
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Decode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "WVTAsn1SpcLinkDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLPUTSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\FuncName = "WVTAsn1SpcLinkDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverFinalPolicy" regsvr32.exe -
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 4388 takeown.exe 3036 icacls.exe 2172 takeown.exe 3696 icacls.exe 852 takeown.exe 1776 icacls.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 16 IoCs
Processes:
LDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exepid process 4780 LDPlayer9_ens_1001_ld.exe 1760 LDPlayer.exe 4752 dnrepairer.exe 5024 dismhost.exe 4540 Ld9BoxSVC.exe 3332 driverconfig.exe 3456 dnplayer.exe 420 Ld9BoxSVC.exe 3160 vbox-img.exe 1144 vbox-img.exe 2816 vbox-img.exe 3480 Ld9BoxHeadless.exe 1092 Ld9BoxHeadless.exe 2800 Ld9BoxHeadless.exe 2024 Ld9BoxHeadless.exe 1092 Ld9BoxHeadless.exe -
Loads dropped DLL 64 IoCs
Processes:
LDPlayer9_ens_1001_ld.exednrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 4780 LDPlayer9_ens_1001_ld.exe 4780 LDPlayer9_ens_1001_ld.exe 4780 LDPlayer9_ens_1001_ld.exe 4752 dnrepairer.exe 4752 dnrepairer.exe 4752 dnrepairer.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 5024 dismhost.exe 4540 Ld9BoxSVC.exe 4540 Ld9BoxSVC.exe 4540 Ld9BoxSVC.exe 4540 Ld9BoxSVC.exe 4540 Ld9BoxSVC.exe 4540 Ld9BoxSVC.exe 4540 Ld9BoxSVC.exe 4540 Ld9BoxSVC.exe 3332 regsvr32.exe 3332 regsvr32.exe 3332 regsvr32.exe 3332 regsvr32.exe 3332 regsvr32.exe 3332 regsvr32.exe 3332 regsvr32.exe 3332 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 4788 regsvr32.exe 2784 regsvr32.exe 2784 regsvr32.exe 2784 regsvr32.exe 2784 regsvr32.exe 2784 regsvr32.exe 2784 regsvr32.exe 2784 regsvr32.exe 2784 regsvr32.exe 2800 regsvr32.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 3696 icacls.exe 852 takeown.exe 1776 icacls.exe 4388 takeown.exe 3036 icacls.exe 2172 takeown.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
Processes:
dnrepairer.exedescription ioc process File created C:\Program Files\ldplayer9box\msvcp100.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetLwfInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\SUPLoggerCtl.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDD.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxGuestPropSvc.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSup.inf dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSVC.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5WinExtras.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxInstallHelper.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\concrt140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\USBInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\msvcp140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat dnrepairer.exe File created C:\Program Files\ldplayer9box\bldRTIsoMaker.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5OpenGL.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-memory-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\ldutils2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES_CM.dll dnrepairer.exe File opened for modification C:\Program Files\ldplayer9box\msvcp140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\UICommon.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxRes.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\dasync.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\vccorlib140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\regsvr32_x86.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxBugReport.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-utility-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9VMMR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDTrace.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\libcurl.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetLwfUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5Gui.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-string-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\vccorlib140.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\USBUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSupLib.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES_V2_utils.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\msvcr100.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-namedpipe-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\ldutils.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\host_manager2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\dasync.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSampleDevice.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-sysinfo-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat dnrepairer.exe File created C:\Program Files\ldplayer9box\dpinst_86.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxNetNAT.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxProxyStub.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll dnrepairer.exe -
Drops file in Windows directory 2 IoCs
Processes:
dism.exedismhost.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1804 sc.exe 1788 sc.exe 2544 sc.exe 4776 sc.exe 1184 sc.exe 4604 sc.exe 2668 sc.exe 3324 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dnplayer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dnplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dnplayer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3148 taskkill.exe 2544 taskkill.exe 3448 taskkill.exe 2436 taskkill.exe -
Processes:
dnplayer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" dnplayer.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exeLd9BoxSVC.exeLDPlayer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\ = "IVirtualSystemDescription" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1F8B-4692-ABB4-462429FAE5E9}\ = "IDnDModeChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ = "IBandwidthGroup" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\ = "IMediumRegisteredEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\NumMethods\ = "39" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\ = "IToken" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0979-486C-BAA1-3ABB144DC82D}\ = "IGuestFileStateChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1\CLSID\ = "{20191216-47b9-4a1e-82b2-07ccd5323c3f}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-c927-11e7-b788-33c248e71fc7} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B}\ = "IGuestProcessEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\NumMethods\ = "22" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ldmnq.apk\Shell LDPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7DB-4616-AAC6-CFB94D89BA78}\ProxyStubClsid32 Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}\ = "IForm" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}\ = "IDHCPGroupCondition" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00C2-4484-0077-C057003D9C90}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-808E-11E9-B773-133D9330F849}\NumMethods\ = "13" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5637-472A-9736-72019EABD7DE}\TypeLib Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\NumMethods\ = "15" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80e1-4a8a-93a1-67c5f92a838a} Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\NumMethods\ = "14" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0C65-11EA-AD23-0FF257C71A7F}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-800a-40f8-87a6-170d02249a55} Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\ProxyStubClsid32 Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\NumMethods regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0002-4B81-0077-1DCB004571BA}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8384-11E9-921D-8B984E28A686}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\TypeLib\Version = "1.3" Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}\ = "IDHCPGroupCondition" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\ = "IMediumFormat" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\ProxyStubClsid32 Ld9BoxSVC.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 719463.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeLDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exepowershell.exemsedge.exepowershell.exepowershell.exemsedge.exepid process 896 msedge.exe 896 msedge.exe 4724 msedge.exe 4724 msedge.exe 1772 msedge.exe 1772 msedge.exe 4664 identity_helper.exe 4664 identity_helper.exe 2092 msedge.exe 2092 msedge.exe 4780 LDPlayer9_ens_1001_ld.exe 4780 LDPlayer9_ens_1001_ld.exe 4780 LDPlayer9_ens_1001_ld.exe 4780 LDPlayer9_ens_1001_ld.exe 4780 LDPlayer9_ens_1001_ld.exe 4780 LDPlayer9_ens_1001_ld.exe 1760 LDPlayer.exe 1760 LDPlayer.exe 1760 LDPlayer.exe 1760 LDPlayer.exe 1760 LDPlayer.exe 1760 LDPlayer.exe 1760 LDPlayer.exe 1760 LDPlayer.exe 4752 dnrepairer.exe 4752 dnrepairer.exe 2024 powershell.exe 2024 powershell.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 908 powershell.exe 908 powershell.exe 3924 powershell.exe 3924 powershell.exe 1760 LDPlayer.exe 1760 LDPlayer.exe 4780 LDPlayer9_ens_1001_ld.exe 4780 LDPlayer9_ens_1001_ld.exe 2908 msedge.exe 2908 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dnplayer.exepid process 3456 dnplayer.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid process 652 652 652 652 652 652 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
Processes:
msedge.exepid process 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
LDPlayer9_ens_1001_ld.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exedescription pid process Token: SeDebugPrivilege 4780 LDPlayer9_ens_1001_ld.exe Token: SeShutdownPrivilege 4780 LDPlayer9_ens_1001_ld.exe Token: SeCreatePagefilePrivilege 4780 LDPlayer9_ens_1001_ld.exe Token: SeDebugPrivilege 3148 taskkill.exe Token: SeDebugPrivilege 2544 taskkill.exe Token: SeDebugPrivilege 3448 taskkill.exe Token: SeDebugPrivilege 2436 taskkill.exe Token: SeTakeOwnershipPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeTakeOwnershipPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeTakeOwnershipPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeTakeOwnershipPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeTakeOwnershipPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeTakeOwnershipPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeTakeOwnershipPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeTakeOwnershipPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe Token: SeDebugPrivilege 1760 LDPlayer.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
msedge.exednplayer.exepid process 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 3456 dnplayer.exe -
Suspicious use of SendNotifyMessage 13 IoCs
Processes:
msedge.exednplayer.exepid process 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 4724 msedge.exe 3456 dnplayer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
LDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exepid process 4780 LDPlayer9_ens_1001_ld.exe 1760 LDPlayer.exe 4752 dnrepairer.exe 4540 Ld9BoxSVC.exe 3332 driverconfig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4724 wrote to memory of 1480 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 1480 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 3352 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 896 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 896 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe PID 4724 wrote to memory of 4844 4724 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.ldplayer.net/download/test/ldad/LDPlayer9.exe?n=LDPlayer9_ens_1001_ld.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc180c3cb8,0x7ffc180c3cc8,0x7ffc180c3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5524 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5908 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6652 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3336 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,17363119658031885749,207501470773931868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnplayer.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayer.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayerex.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM bugreport.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\LDPlayer\LDPlayer9\LDPlayer.exe"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\LDPlayer\LDPlayer9\dnrepairer.exe"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=1317743⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\net.exe"net" start cryptsvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start cryptsvc5⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Softpub.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Wintrust.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Initpki.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" Initpki.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" dssenh.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" rsaenh.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" cryptdlg.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\dism.exeC:\Windows\system32\dism.exe /Online /English /Get-Features4⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\dismhost.exeC:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\dismhost.exe {DE2FB84A-3AC9-41B8-A905-EBC72D3D5E09}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\sc.exesc query HvHost4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmms4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmcompute4⤵
- Launches sc.exe
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s4⤵
- Loads dropped DLL
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" start Ld9BoxSup4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\LDPlayer\LDPlayer9\driverconfig.exe"C:\LDPlayer\LDPlayer9\driverconfig.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc180c3cb8,0x7ffc180c3cc8,0x7ffc180c3cd83⤵
-
C:\LDPlayer\LDPlayer9\dnplayer.exe"C:\LDPlayer\LDPlayer9\\dnplayer.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sc.exesc query HvHost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmcompute3⤵
- Launches sc.exe
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb000000003⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-0000000000003⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-0000000000003⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc180c3cb8,0x7ffc180c3cc8,0x7ffc180c3cd84⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004DC1⤵
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\LDPlayer\LDPlayer9\MSVCP120.dllFilesize
444KB
MD550260b0f19aaa7e37c4082fecef8ff41
SHA1ce672489b29baa7119881497ed5044b21ad8fe30
SHA256891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA5126f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d
-
C:\LDPlayer\LDPlayer9\MSVCR120.dllFilesize
947KB
MD550097ec217ce0ebb9b4caa09cd2cd73a
SHA18cd3018c4170072464fbcd7cba563df1fc2b884c
SHA2562a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058
-
C:\LDPlayer\LDPlayer9\crashreport.dllFilesize
51KB
MD519dae6362eb73913f7947f719be52516
SHA1e157307ae8e87c9a6f31bc62ecdf32d70f8648d9
SHA256ae0eba69019294d03e11d68fea0ee72e77bfe156803f1b83bc8566a0a4d3584d
SHA512f5eb5771eb03f7f2067e32573397814ff3ef54dc7fae0abadad6bfdcafef6a4a5bf6f3ab9874c0530cb70cb995f6716ca8fa1cba175ed5a1d298c700f6e59ad2
-
C:\LDPlayer\LDPlayer9\dnmultiplayer.exeFilesize
1.2MB
MD5330013a714c5dc0c561301adcccd8bc8
SHA1030b1d6ac68e64dec5cbb82a75938c6ce5588466
SHA256c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a
SHA5126afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1
-
C:\LDPlayer\LDPlayer9\dnplayer.exeFilesize
3.6MB
MD52061141f3c490b5b441eff06e816a6c2
SHA1d24166db06398c6e897ff662730d3d83391fdaaa
SHA2562f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0
SHA5126b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc
-
C:\LDPlayer\LDPlayer9\dnrepairer.exeFilesize
41.9MB
MD54def56a3500d5a4dec3ff797a88c5751
SHA11a53c9c6f3d1e27ac8532e09f87990505c8090de
SHA256c09b51bdc9039b976a55eb8dc7c517d65d8d5f6eadda92d2de27ceee7845b0e4
SHA512a96322ca61f45875bfdb7b514ce1a95bbc1faba3fc0b7bc7c0af3f05d68c14e47fddff64e595f6bf053df7e1efad3e5f9e33f3bc2e09501c3c20de62864ae1d8
-
C:\LDPlayer\LDPlayer9\dnresource.rccFilesize
5.0MB
MD5d4d2fd2ce9c5017b32fc054857227592
SHA17ee3b1127c892118cc98fb67b1d8a01748ca52d5
SHA256c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185
SHA512d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918
-
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otfFilesize
17.4MB
MD593b877811441a5ae311762a7cb6fb1e1
SHA1339e033fd4fbb131c2d9b964354c68cd2cf18bd1
SHA256b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b
SHA5127f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4
-
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otfFilesize
103KB
MD54acd5f0e312730f1d8b8805f3699c184
SHA167c957e102bf2b2a86c5708257bc32f91c006739
SHA25672336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA5129982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exeFilesize
652KB
MD5ad9d7cbdb4b19fb65960d69126e3ff68
SHA1dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dllFilesize
1.5MB
MD566df6f7b7a98ff750aade522c22d239a
SHA1f69464fe18ed03de597bb46482ae899f43c94617
SHA25691e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f
SHA51248d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dllFilesize
2.0MB
MD501c4246df55a5fff93d086bb56110d2b
SHA1e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA51239524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dllFilesize
442KB
MD52d40f6c6a4f88c8c2685ee25b53ec00d
SHA1faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA2561d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA5124e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dllFilesize
1.2MB
MD5ba46e6e1c5861617b4d97de00149b905
SHA14affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA2562eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dllFilesize
192KB
MD552c43baddd43be63fbfb398722f3b01d
SHA1be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA2568c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA51204cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dllFilesize
511KB
MD5e8fd6da54f056363b284608c3f6a832e
SHA132e88b82fd398568517ab03b33e9765b59c4946d
SHA256b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd
SHA5124f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dllFilesize
522KB
MD53e29914113ec4b968ba5eb1f6d194a0a
SHA1557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA51275078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dllFilesize
854KB
MD54ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA152693d4b5e0b55a929099b680348c3932f2c3c62
SHA256b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA51282e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dllFilesize
283KB
MD50054560df6c69d2067689433172088ef
SHA1a30042b77ebd7c704be0e986349030bcdb82857d
SHA25672553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0
-
C:\LDPlayer\LDPlayer9\vms\config\leidian0.configFilesize
641B
MD524fffc24965eb01af8e76512955563c0
SHA177870d85618105fa07fec7be649eaff664aba047
SHA256cd47ae68a6cfa9a8476067cedb90fe23c0be83f60000e3257c68e42977d03953
SHA512b4dad8817a822c01b354a71f8b153e8cc1ac2a86d4d6b13de0be4f66494c9d0409dff7aabf7757578a06976389530a875c32541c02093bdda8472cb7d9dfc60d
-
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdkFilesize
35.1MB
MD54d592fd525e977bf3d832cdb1482faa0
SHA1131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef
SHA256f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6
SHA512afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59a91b6dd57fc9c4880d34e9e7c6b760f
SHA177a09da6ef4343a8b232386e000cd2d6b9fc30a3
SHA2560170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a
SHA5129fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bbfb66ff6f5e565ac00d12dbb0f4113d
SHA18ee31313329123750487278afb3192d106752f17
SHA256165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754
SHA5128ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD57c415e7dc2797ccf4e485afb986d72a2
SHA1084cd73e1f1b369c4dae335505c727c828b6bd8d
SHA256759fcca0cca54e5ca102533b0c93ff1eec3da0d53a7d697ae1e7d21a71180a2b
SHA51230135a4c60ce366f7dc5a8be86001f0b218bcdefa16df2835dc7492b179afa1c44bf22341aec8056c2db26ae8b64dfb67c3949456701dd44806802459419004e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5603e97890973cf594c870f4d152aca82
SHA1b8474be639ddc6a80b4ac9d3447c3faa8fdf8f8d
SHA2561b0af05fd73a6c6cf9ffc579fe3afa11603b6ecc33e2657e8c7a0c9eeb72d32d
SHA51250afc9e029d686ac021756125f8ea351b3179b78ecc1ce1baa61cc461cc36a7ac6ea8ffa8c8d69056a3c05bc95dc53d538f81a9bb4b8e75f68dbd43c95b7a275
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
7KB
MD598dc154f5a0451a573d566452179f0e7
SHA14d12f6659e98de59296de7333a26dad7fd903839
SHA256b617c5ca3cef3666bc8cc03f3aaee0a2b1c4a4b8f227c94c321f4b35e7ae8331
SHA512ed3ee4142b7586df754edd853f0f6f1578cda173e7a2194998992901104e1e4bca2f1a8579a296517b38bc87d679198cec261f19b5629e06b1852cd5cc6da1f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
184B
MD53c3c53b7997f20b9a5023d8f0c2690c2
SHA17834f0054a149f92b504256ea7e921ad395c019a
SHA2561a72ffd1c93eb7e00a3979ed60ba504a0c303150102a47a011f1c2438d2bc004
SHA5126ebe89ea78be3443aabfe3a65b1e4f1fbaba05977cd2da18bcac64030a318f14ae10614f5f6ce55bbb2979b9bdf250473f63eb511886934c145561a32fa8c663
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
7KB
MD507eb3530781d8b3dadbc757bbd928c4e
SHA1265385fa92e79c056c67c06b315135d7ca84abea
SHA2569ae11ee92f9760ec516ec5ac3924ea6d22c538844d1635fc8c76fce6818b521a
SHA512c027f4240957fc841acf7a7c4fcb514f0e82b014479880465f65d50751d5b855a463adc9a6c7ebe0e62145f1819c93900108e560e2d7322c3b08b1c97cc53c62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58d1101b89a9cdf9e8f311a13d093ac8e
SHA1a4fe944260d034a92d78aafc6ff725c11cb1c3e7
SHA2567c2b89c26c5261bad6e7791c09fbf3d90dad233e45e0adc1baab02deaf8e3b7b
SHA51228a8d0e80dcfd0b4f705a11665f577a68e06c3182e985d10ba1e3603dd03d84d3687d8b2d4ca6880ef23bb55bdc06eca4ab401038a7787c15c9f46b037c5eb95
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50aba6b3c8ba014257beea2548bee68be
SHA19246b87ded09d29ac1b17514c92f4e953ea83ab7
SHA256929974689a4a3dc922155bb2d17ccaa794e8646c7e94e3b0d665825c9add7ed0
SHA5122d1d6a550cb4912a9a532f4dbc66c5e8564f86ea8c2e0a43859ea6d03eea9111d1805adabcf0803d571a409f5d5b929c1e01357a2fc10536a4b5157edbeec9bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a254f3daec5ee9756d771a5749581a27
SHA191bd24e214891d25d359f72794acdb72338a2f0b
SHA2562b2c1c7dd2a7559f1c3fb84db0301ec2f2eb74ee778a2f2274bd60aad3609e85
SHA512cb4255201ce0d7060a86daefa8bd03ca0aefaebcfae872c00158afb70bf835cb596b1122e93153bf41d33bad95bbbc9f290e9d8f01460265a32ab1ae1cf14c3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5e141a6effcd598c8545a204205c47f1b
SHA1a8a3d1d874e0c11448680d166f9264874ad8485d
SHA256f0593be8ec9146a2adbf93c790ab40872ceda14c2ec3dc8f70087fa75fca524b
SHA51257fc48977c6f73df8d49f6bfa89fadc12dab414f02c488e349a72e1d1a8be5f19b1346c89b832fafdc8c0cd5fb0ebd686e9c85ea5a9f0ce42e898ec0da588b22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ebeece206bd8884fac28c64c21fe1dd1
SHA1c8bd0c0cab6c109e2c410f72c4864bd8f9449b08
SHA256f2e6c06daf87cad91f7e13cd417c4b77f5683e2278561cc2d2eb5049d28e886a
SHA51268ef04cbbecf9c5afc0b0e33a04061028ba0f93cb72a3fe66ea625dc2ac57c5a60fea1ec903db930bc38efb47a676627320a809fa2a7fad2f4ad08b4ae67cdb5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD53b0fe57203bf235ee201ad97a1bfff98
SHA10e0b4faa0625da33cd6e422974b5e844fb1cccef
SHA256836eef7eaf034dcbae51bda07c1efb35358e8f2a90e2ffae1682c2a47780a9b2
SHA512d60f1370704f6d5783b37910857e87b61fcfad2e8ae50b0b3f1d22cbac0dfceb4cf9901908df789cb6d51e30b60f9c9c1091ecd3b0e83c0eefff2bb70991e343
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59ea47.TMPFilesize
706B
MD543a7dd9954a8587dab6946a2b9f37999
SHA1b1ad73e2d36278bf847574822247bbdfba55c0ca
SHA2567dc4cfbdc873a5f42685adb0fe6ff523f85936c280d32f9f594b780df401a4d2
SHA512c1380c98d742a2563475303ec245248aa03f9cf7a7bf3e89dd398de87bb7279fe94c174dea5e805ccbcd442ad3ceedd05f54e613d8faccc481b021a2a0a5610b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD543cd721244c76169bc593b9e2586ae2c
SHA10fd9a445815f5ae85ccb0ee9506238bf1a6c9c7e
SHA256f69d30ce37535ae16843c7d4b4236e4f9cd6d2204802802c4c05cfeb68eaf531
SHA512811b7a6715229b40637cf2d72f61c2e29fdb911919f5ac1e6361a5199d106592bdaf3ba07ae44b305b6bee92486e6b7162d91a95626cc22201b9533a491e0b4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ef39630a40df319cbeb11070b3dc5409
SHA1c1ba397feee641747609ed93ceb169d6e439737f
SHA2568403002b8f6c5387aba36d0ffa149c095d605c8a16177d75caa5ffc08070f826
SHA5122cfaaab3ceddb8e1ddf438dc0cae2ebe69a66d738c5402e33a603f476f101fe348b1ece00ece0cd4585a8a03d0ba495e9573fb03be0191c446650205cc911e02
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\DismCorePS.dllFilesize
200KB
MD57f751738de9ac0f2544b2722f3a19eb0
SHA17187c57cd1bd378ef73ba9ad686a758b892c89dc
SHA256db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc
SHA5120891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\DismHost.exeFilesize
168KB
MD517275206102d1cf6f17346fd73300030
SHA1bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166
SHA256dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6
SHA512ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\DismProv.dllFilesize
292KB
MD52ac64cc617d144ae4f37677b5cdbb9b6
SHA113fe83d7489d302de9ccefbf02c7737e7f9442f9
SHA256006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44
SHA512acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\EdgeProvider.dllFilesize
200KB
MD5c22cc16103ee51ba59b765c6b449bddb
SHA1b0683f837e1e44c46c9a050e0a3753893ece24ad
SHA256eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b
SHA5122c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\Ffuprovider.dllFilesize
680KB
MD5a41b0e08419de4d9874893b813dccb5c
SHA12390e00f2c2bc9779e99a669193666688064ea77
SHA25657ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3
SHA512bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\ImagingProvider.dllFilesize
248KB
MD54c6d681704e3070df2a9d3f42d3a58a2
SHA1a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81
SHA256f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137
SHA512daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\IntlProvider.dllFilesize
312KB
MD534035aed2021763bec1a7112d53732f1
SHA17132595f73755c3ae20a01b6863ac9518f7b75a4
SHA256aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731
SHA512ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\LogProvider.dllFilesize
108KB
MD5c63f6b6d4498f2ec95de15645c48e086
SHA129f71180feed44f023da9b119ba112f2e23e6a10
SHA25656aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde
SHA5123a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\OSProvider.dllFilesize
180KB
MD5e9833a54c1a1bfdab3e5189f3f740ff9
SHA1ffb999c781161d9a694a841728995fda5b6da6d3
SHA256ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85
SHA5120b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\OfflineSetupProvider.dllFilesize
213KB
MD53437087e6819614a8d54c9bc59a23139
SHA1ae84efe44b02bacdb9da876e18715100a18362be
SHA2568b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74
SHA512018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\ProvProvider.dllFilesize
800KB
MD52ef388f7769205ca319630dd328dcef1
SHA16dc9ed84e72af4d3e7793c07cfb244626470f3b6
SHA2564915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf
SHA512b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\ServicingCommon.dllFilesize
944KB
MD507231bdae9d15bfca7d97f571de3a521
SHA104aec0f1afcf7732bc4cd1f7aab36e460c325ba6
SHA256be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935
SHA5122a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\SysprepProvider.dllFilesize
820KB
MD54dfa1eeec0822bfcfb95e4fa8ec6c143
SHA154251e697e289020a72e1fd412e34713f2e292cf
SHA256901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494
SHA5125f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\TransmogProvider.dllFilesize
1.3MB
MD5c1c56a9c6ea636dbca49cfcc45a188c3
SHA1d852e49978a08e662804bf3d7ec93d8f6401a174
SHA256b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf
SHA512f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\UnattendProvider.dllFilesize
256KB
MD57c61284580a6bc4a4c9c92a39bd9ea08
SHA14579294e3f3b6c03b03b15c249b9cac66e730d2a
SHA2563665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8
SHA512b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\Vhdprovider.dllFilesize
596KB
MD58a655555544b2915b5d8676cbf3d77ab
SHA15a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2
SHA256d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27
SHA512c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93
-
C:\Users\Admin\AppData\Local\Temp\63931C30-56DE-499D-AD32-DA895AF9E1ED\WimProvider.dllFilesize
672KB
MD5bcf8735528bb89555fc687b1ed358844
SHA15ef5b24631d2f447c58b0973f61cb02118ae4adc
SHA25678b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c
SHA5128b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5
-
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dllFilesize
79KB
MD5d9cb0b4a66458d85470ccf9b3575c0e7
SHA11572092be5489725cffbabe2f59eba094ee1d8a1
SHA2566ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05
SHA51294937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlnydltm.yza.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dllFilesize
73KB
MD5b001f88504c8c9973e9a3b4dc03e6d1a
SHA1a54b3046a70a4f2c792ad6a382b637b599f1dc48
SHA2568ee4cbed114a588e934b5043f95c9c06f40468c2300fa0d1d938d16c1d46a8fd
SHA512390e53be657fc35fb2e9f41b76b3b07c161a860d72445a4b1425ca973a6d8c0f32f6de6844719c6e9813e8d949ab65263642dea01c800a00285bd45595bed4d8
-
C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Unconfirmed 719463.crdownloadFilesize
3.3MB
MD586fca06e090f8017dd323ccc516a7ed9
SHA1720fd4f4d0ac09308d19d229c8fbfde71313ce7d
SHA2565516ce5826c34dc1d89b1373f09a5eb490cf1dab55f98da02bdc53a73b772874
SHA51205f6ea47c48a2da3304a2d14a741403200ccf47e1f1b7155a2eba3fe694e4f42b8a327010fbc20b720ba06e4f84ee96b39d885989ae7cd20cc459261cd02b34b
-
C:\Windows\Logs\DISM\dism.logFilesize
18KB
MD5a8ba195ae1654ab8d0e08a715d48f819
SHA1448bb0e15b7cd2588a91c694eb4d9949399c6f91
SHA256233e8213586ea2c42bcd0322b73c80b9cd1ef9d2e172d0056457e93d3a94d5b3
SHA512fac56e11936aecb5033e05b51142e9f80a7111a189d14f6f3dfaa6f1a6b9fce224c5fdadccdfdd3721ac4a6e5ce960ff150070b7772225d8e2e1b48d400ba3d9
-
C:\Windows\Logs\DISM\dism.logFilesize
23KB
MD56eae7408900982a17fe9863847bb5558
SHA15a94ce045267eb7b139ca747bf324254130bb844
SHA256b873074b9b8242b2ed7e9119e55b5d7b69334badef26217b122bb9bac5b2d921
SHA512528870c7e7ee81f916d9377ec2ceb965a0968ef79f9f38e3657a50c86103c09cf7a830f31a0a72b3a76c709ce85fa70492ea3c143b84fb2b91dbe84158439155
-
\??\pipe\LOCAL\crashpad_4724_AFUDXAAGEKKBXCTVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/908-800-0x00000000060A0000-0x00000000063F7000-memory.dmpFilesize
3.3MB
-
memory/908-801-0x000000006E4C0000-0x000000006E50C000-memory.dmpFilesize
304KB
-
memory/2024-788-0x0000000007C40000-0x0000000007C4E000-memory.dmpFilesize
56KB
-
memory/2024-786-0x0000000007C80000-0x0000000007D16000-memory.dmpFilesize
600KB
-
memory/2024-767-0x00000000066A0000-0x00000000066BE000-memory.dmpFilesize
120KB
-
memory/2024-766-0x0000000006160000-0x00000000064B7000-memory.dmpFilesize
3.3MB
-
memory/2024-787-0x0000000007C00000-0x0000000007C11000-memory.dmpFilesize
68KB
-
memory/2024-756-0x00000000056F0000-0x0000000005712000-memory.dmpFilesize
136KB
-
memory/2024-757-0x0000000005890000-0x00000000058F6000-memory.dmpFilesize
408KB
-
memory/2024-755-0x0000000005A30000-0x000000000605A000-memory.dmpFilesize
6.2MB
-
memory/2024-754-0x0000000002EA0000-0x0000000002ED6000-memory.dmpFilesize
216KB
-
memory/2024-771-0x0000000007650000-0x0000000007684000-memory.dmpFilesize
208KB
-
memory/2024-785-0x0000000007A70000-0x0000000007A7A000-memory.dmpFilesize
40KB
-
memory/2024-783-0x0000000008040000-0x00000000086BA000-memory.dmpFilesize
6.5MB
-
memory/2024-784-0x00000000079F0000-0x0000000007A0A000-memory.dmpFilesize
104KB
-
memory/2024-782-0x00000000076C0000-0x0000000007764000-memory.dmpFilesize
656KB
-
memory/2024-768-0x00000000066E0000-0x000000000672C000-memory.dmpFilesize
304KB
-
memory/2024-781-0x0000000007690000-0x00000000076AE000-memory.dmpFilesize
120KB
-
memory/2024-772-0x000000006E4C0000-0x000000006E50C000-memory.dmpFilesize
304KB
-
memory/2024-789-0x0000000007D20000-0x0000000007D3A000-memory.dmpFilesize
104KB
-
memory/3456-928-0x0000000001090000-0x00000000010A6000-memory.dmpFilesize
88KB
-
memory/3456-1319-0x000000006C580000-0x000000006DF7B000-memory.dmpFilesize
26.0MB
-
memory/3456-950-0x00000000368B0000-0x00000000368C0000-memory.dmpFilesize
64KB
-
memory/3456-1318-0x000000006BED0000-0x000000006BF4A000-memory.dmpFilesize
488KB
-
memory/3456-1317-0x000000006BF50000-0x000000006BFCE000-memory.dmpFilesize
504KB
-
memory/3456-1316-0x000000006BFD0000-0x000000006C576000-memory.dmpFilesize
5.6MB
-
memory/3456-1321-0x000000006BE70000-0x000000006BEC9000-memory.dmpFilesize
356KB
-
memory/3924-819-0x000000006E4C0000-0x000000006E50C000-memory.dmpFilesize
304KB
-
memory/4780-131-0x00000000739B0000-0x00000000739C6000-memory.dmpFilesize
88KB
-
memory/4780-135-0x0000000008E30000-0x0000000008E74000-memory.dmpFilesize
272KB
-
memory/4780-130-0x00000000077E0000-0x00000000077F6000-memory.dmpFilesize
88KB
-
memory/4780-133-0x0000000007DB0000-0x0000000008356000-memory.dmpFilesize
5.6MB
-
memory/4780-134-0x00000000079A0000-0x0000000007A32000-memory.dmpFilesize
584KB
-
memory/4780-139-0x0000000007B40000-0x0000000007B4A000-memory.dmpFilesize
40KB
-
memory/4780-138-0x0000000009550000-0x0000000009A7C000-memory.dmpFilesize
5.2MB
-
memory/4780-137-0x0000000008FB0000-0x0000000009016000-memory.dmpFilesize
408KB
-
memory/4780-136-0x0000000008F10000-0x0000000008FAC000-memory.dmpFilesize
624KB