5f1ee7eac585adb1a5279041b286b4adff6ff9d29d459ca0dd05bb0d2bfe26d2

Analysis

max time kernel
181s
max time network
184s
platform
windows7_x64
resource
win7-20240508-es
resource tags

arch:x64arch:x86image:win7-20240508-eslocale:es-esos:windows7-x64systemwindows
submitted
28-06-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_es_1009_ld.exe
Size

3.4MB
MD5

0d183c971971fe69c6c62b4bbfede0c7
SHA1

0ac34c620f6ab8ec1aa45312bfd54a794ebd7c28
SHA256

5f1ee7eac585adb1a5279041b286b4adff6ff9d29d459ca0dd05bb0d2bfe26d2
SHA512

c1990a97e1d1d1c93256dad443f2bc98739ca18b6e26b77a4810a190b70021aa64b77e33b387e124bc83356a3bdefadd900823f59039a2e50773c991796282fb
SSDEEP

49152:8LF2vxcUuniqfal7nA1pHtOUYqP3CFOrtG/JR9sXafgkDFMVR9C1UhPJXMK701hd:8LF2vFuniqfa21t0xOoGBiCV2HCyh

Score

8^/10

discovery execution exploit persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "WVTAsn1CatMemberInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid process

760 icacls.exe
1204 icacls.exe
1092 takeown.exe
2944 icacls.exe
2688 takeown.exe
1156 icacls.exe
2284 takeown.exe
1632 takeown.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid process

1092 takeown.exe
2944 icacls.exe
2688 takeown.exe
1156 icacls.exe
2284 takeown.exe
1632 takeown.exe
760 icacls.exe
1204 icacls.exe

pid	process
760	icacls.exe
1204	icacls.exe
1092	takeown.exe
2944	icacls.exe
2688	takeown.exe
1156	icacls.exe
2284	takeown.exe
1632	takeown.exe

pid	process
1092	takeown.exe
2944	icacls.exe
2688	takeown.exe
1156	icacls.exe
2284	takeown.exe
1632	takeown.exe
760	icacls.exe
1204	icacls.exe

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1518.001

Processes:

LDPlayer9_es_1009_ld.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	LDPlayer9_es_1009_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	LDPlayer9_es_1009_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	LDPlayer9_es_1009_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	LDPlayer9_es_1009_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser	LDPlayer9_es_1009_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser	LDPlayer9_es_1009_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser	LDPlayer9_es_1009_ld.exe

Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

76 discord.com
61 discord.com
62 discord.com
63 discord.com
73 discord.com
74 discord.com
75 discord.com
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	ioc
76	discord.com
61	discord.com
62	discord.com
63	discord.com
73	discord.com
74	discord.com
75	discord.com

Drops file in Program Files directory 64 IoCs

Processes:

dnrepairer.exe

description	ioc	process
File created	C:\Program Files\ldplayer9box\dpinst_86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRes.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\host_manager.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\capi.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDTrace.exe	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\Ld9BoxSup.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libssl-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRT.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxHostChannel.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxC.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCAPI.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qwindows.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxTestOGL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-math-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDbg.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetDHCP.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcrypto-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Uninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Core.dll	dnrepairer.exe

Drops file in Windows directory 1 IoCs

Processes:

dism.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe

Executes dropped EXE 14 IoCs

Processes:

LDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exe

pid	process
1936	LDPlayer.exe
2528	dnrepairer.exe
2332	Ld9BoxSVC.exe
2720	driverconfig.exe
3064	dnplayer.exe
2468	Ld9BoxSVC.exe
2452	vbox-img.exe
2204	vbox-img.exe
1528	vbox-img.exe
2592	Ld9BoxHeadless.exe
2596	Ld9BoxHeadless.exe
2672	Ld9BoxHeadless.exe
2616	Ld9BoxHeadless.exe
932	Ld9BoxHeadless.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

584 sc.exe
1980 sc.exe
1164 sc.exe
1796 sc.exe
2964 sc.exe
2372 sc.exe
2808 sc.exe
2032 sc.exe

pid	process
584	sc.exe
1980	sc.exe
1164	sc.exe
1796	sc.exe
2964	sc.exe
2372	sc.exe
2808	sc.exe
2032	sc.exe

Loads dropped DLL 64 IoCs

Processes:

LDPlayer9_es_1009_ld.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedriverconfig.exe

pid	process
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1936	LDPlayer.exe
2528	dnrepairer.exe
2528	dnrepairer.exe
2528	dnrepairer.exe
2528	dnrepairer.exe
2528	dnrepairer.exe
2332	Ld9BoxSVC.exe
2332	Ld9BoxSVC.exe
2332	Ld9BoxSVC.exe
2332	Ld9BoxSVC.exe
2332	Ld9BoxSVC.exe
2332	Ld9BoxSVC.exe
2332	Ld9BoxSVC.exe
2332	Ld9BoxSVC.exe
2264	regsvr32.exe
2264	regsvr32.exe
2264	regsvr32.exe
2264	regsvr32.exe
2264	regsvr32.exe
2264	regsvr32.exe
2264	regsvr32.exe
2264	regsvr32.exe
1524	regsvr32.exe
1524	regsvr32.exe
1524	regsvr32.exe
1524	regsvr32.exe
1524	regsvr32.exe
1524	regsvr32.exe
1524	regsvr32.exe
1524	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
1668	regsvr32.exe
1668	regsvr32.exe
1668	regsvr32.exe
1668	regsvr32.exe
1668	regsvr32.exe
1668	regsvr32.exe
1668	regsvr32.exe
1668	regsvr32.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
2720	driverconfig.exe
2720	driverconfig.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dnplayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

548 taskkill.exe
2212 taskkill.exe
2000 taskkill.exe
956 taskkill.exe

pid	process
548	taskkill.exe
2212	taskkill.exe
2000	taskkill.exe
956	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exednplayer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "11928"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2889"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "407"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "23049"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "4363"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "410"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "331"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "492"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1734"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1652"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000f83789e454f442c1318e53720e84eea53d59c6b2f98793199f12c518f69d4f19000000000e8000000002000020000000c0d14992a556748b8e6806f36c658b14fecfde111481cde03149cd536cb93fda200000003027d3bbed4f746d4c1cb611a48ef733a0c49235414a4b06ba13cf8a9c26f13940000000bdfd782b73d18a14f5e491deb6fdb432867b182c0185117114092d0e91e1eab07422503e48ae3786c9536e249cc37031a603b201cf07e991580272efcc5145a8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "11840"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "492"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2971"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MAIN	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "23049"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "325"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "1734"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "407"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "2889"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "11618"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "11922"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "2971"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9058de0a88c9da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "410"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1652"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "4363"	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

regsvr32.exeLd9BoxSVC.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-477A-2497-6759-88B8292A5AF0}\ = "IEmulatedUSB"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41}\ = "IRecordingSettings"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-486E-472F-481B-969746AF2480}\ = "IGuestFileSizeChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\ = "IVBoxSVCAvailabilityChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}\ = "IExtPack"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ = "IMachineDebugger"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7e72-4f34-b8f6-682785620c57}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4737-457B-99FC-BC52C851A44F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-32E7-4F6C-85EE-422304C71B90}\NumMethods\ = "8"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\ = "IHostNetworkInterface"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4737-457B-99FC-BC52C851A44F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E1B7-4339-A549-F0878115596E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-5637-472A-9736-72019EABD7DE}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-8690-11E9-B83D-5719E53CF1DE}\ = "IDisplay"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7997-4595-A731-3A509DB604E5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}\NumMethods\ = "37"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}\NumMethods\ = "15"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4521-44CC-DF95-186E4D057C83}\ = "IVBoxSVCRegistration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7966-481D-AB0B-D0ED73E28135}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-319C-4E7E-8150-C5837BD265F6}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0547-448e-bc7c-94e9e173bf57}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4b81-0077-1dcb004571ba}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3EE4-11E9-B872-CB9447AAD965}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\ = "IConsole"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\ = "IGuestFileReadEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-0D96-40ED-AE46-A564D484325E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7997-4595-A731-3A509DB604E5}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8084-11E9-B185-DBE296E54799}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\ = "IFramebuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}\NumMethods\ = "43"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\NumMethods\ = "17"	regsvr32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

LDPlayer9_es_1009_ld.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	LDPlayer9_es_1009_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer9_es_1009_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer9_es_1009_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer9_es_1009_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer9_es_1009_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer9_es_1009_ld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	LDPlayer9_es_1009_ld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	LDPlayer9_es_1009_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer9_es_1009_ld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	LDPlayer9_es_1009_ld.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

LDPlayer9_es_1009_ld.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exednplayer.exe

pid	process
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1196	LDPlayer9_es_1009_ld.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
1936	LDPlayer.exe
2528	dnrepairer.exe
1396	powershell.exe
2648	powershell.exe
928	powershell.exe
1936	LDPlayer.exe
3064	dnplayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dnplayer.exe

pid process

3064 dnplayer.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

432
432
432
432
432
432

pid	process
3064	dnplayer.exe

pid	process
432
432
432
432
432
432

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer9_es_1009_ld.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exe

description	pid	process
Token: SeDebugPrivilege	1196	LDPlayer9_es_1009_ld.exe
Token: SeShutdownPrivilege	1196	LDPlayer9_es_1009_ld.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeTakeOwnershipPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe
Token: SeDebugPrivilege	1936	LDPlayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exednplayer.exe

pid process

2320 iexplore.exe
3064 dnplayer.exe
3064 dnplayer.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

dnplayer.exe

pid process

3064 dnplayer.exe
3064 dnplayer.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

2320 iexplore.exe
2320 iexplore.exe
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE
2396 IEXPLORE.EXE
2396 IEXPLORE.EXE

pid	process
2320	iexplore.exe
3064	dnplayer.exe
3064	dnplayer.exe

pid	process
3064	dnplayer.exe
3064	dnplayer.exe

pid	process
2320	iexplore.exe
2320	iexplore.exe
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LDPlayer9_es_1009_ld.exeLDPlayer.exednrepairer.exenet.exe

description	pid	process	target process
PID 1196 wrote to memory of 548	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 548	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 548	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 548	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 2212	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 2212	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 2212	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 2212	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 2000	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 2000	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 2000	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 2000	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 956	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 956	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 956	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 956	1196	LDPlayer9_es_1009_ld.exe	taskkill.exe
PID 1196 wrote to memory of 1936	1196	LDPlayer9_es_1009_ld.exe	LDPlayer.exe
PID 1196 wrote to memory of 1936	1196	LDPlayer9_es_1009_ld.exe	LDPlayer.exe
PID 1196 wrote to memory of 1936	1196	LDPlayer9_es_1009_ld.exe	LDPlayer.exe
PID 1196 wrote to memory of 1936	1196	LDPlayer9_es_1009_ld.exe	LDPlayer.exe
PID 1936 wrote to memory of 2528	1936	LDPlayer.exe	dnrepairer.exe
PID 1936 wrote to memory of 2528	1936	LDPlayer.exe	dnrepairer.exe
PID 1936 wrote to memory of 2528	1936	LDPlayer.exe	dnrepairer.exe
PID 1936 wrote to memory of 2528	1936	LDPlayer.exe	dnrepairer.exe
PID 2528 wrote to memory of 1876	2528	dnrepairer.exe	net.exe
PID 2528 wrote to memory of 1876	2528	dnrepairer.exe	net.exe
PID 2528 wrote to memory of 1876	2528	dnrepairer.exe	net.exe
PID 2528 wrote to memory of 1876	2528	dnrepairer.exe	net.exe
PID 1876 wrote to memory of 2928	1876	net.exe	net1.exe
PID 1876 wrote to memory of 2928	1876	net.exe	net1.exe
PID 1876 wrote to memory of 2928	1876	net.exe	net1.exe
PID 1876 wrote to memory of 2928	1876	net.exe	net1.exe
PID 2528 wrote to memory of 2304	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2304	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2304	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2304	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2304	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2304	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2304	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2924	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2924	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2924	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2924	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2924	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2924	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2924	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 1104	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 1104	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 1104	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 1104	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 1104	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 1104	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 1104	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 584	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 584	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 584	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 584	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 584	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 584	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 584	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2348	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2348	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2348	2528	dnrepairer.exe	regsvr32.exe
PID 2528 wrote to memory of 2348	2528	dnrepairer.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe"
1⤵
- Checks for any installed AV software in registry
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1009 -language=es -path="C:\LDPlayer\LDPlayer9\"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=328044
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
4⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
5⤵
PID:2928

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
4⤵
- Manipulates Digital Signatures
PID:2304

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
4⤵
- Manipulates Digital Signatures
PID:2924

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
4⤵
PID:1104

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
4⤵
PID:584

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
4⤵
PID:2348

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
4⤵
PID:2320

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
4⤵
- Manipulates Digital Signatures
PID:3064

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2284

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2944

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2688

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1156

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
4⤵
- Drops file in Windows directory
PID:912

C:\Windows\SysWOW64\sc.exe
sc query HvHost
4⤵
- Launches sc.exe
PID:1980

C:\Windows\SysWOW64\sc.exe
sc query vmms
4⤵
- Launches sc.exe
PID:1796

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
4⤵
- Launches sc.exe
PID:1164

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332

C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
4⤵
- Loads dropped DLL
PID:2264

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
4⤵
- Loads dropped DLL
PID:1524

C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:896

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1668

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
4⤵
- Launches sc.exe
PID:2964

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
4⤵
- Launches sc.exe
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:928

C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720

C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1632

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\ldmutiplayer\" /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1092

C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:760

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\ldmutiplayer\" /grant everyone:F /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/ykt8hgSabz
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:472076 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2396

C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\dnplayer.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3064

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
3⤵
- Executes dropped EXE
PID:2452

C:\Windows\SysWOW64\sc.exe
sc query HvHost
3⤵
- Launches sc.exe
PID:2808

C:\Windows\SysWOW64\sc.exe
sc query vmms
3⤵
- Launches sc.exe
PID:2032

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
3⤵
- Launches sc.exe
PID:584

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
3⤵
- Executes dropped EXE
PID:2204

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
3⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
PID:2088

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2468

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2592

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2596

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2672

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2616

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Install Root Certificate

T1553.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
Filesize
1.2MB

MD5
330013a714c5dc0c561301adcccd8bc8

SHA1
030b1d6ac68e64dec5cbb82a75938c6ce5588466

SHA256
c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a

SHA512
6afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe
Filesize
3.6MB

MD5
2061141f3c490b5b441eff06e816a6c2

SHA1
d24166db06398c6e897ff662730d3d83391fdaaa

SHA256
2f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0

SHA512
6b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc
Filesize
5.0MB

MD5
d4d2fd2ce9c5017b32fc054857227592

SHA1
7ee3b1127c892118cc98fb67b1d8a01748ca52d5

SHA256
c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185

SHA512
d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\EGL.dll
Filesize
532KB

MD5
ef46946bf30878e9ecf2044feefe7761

SHA1
873bd7311fd58de541d64955579ac1e3935e593e

SHA256
a788ce50d0e0bfa2d49027c91f0260d4a17491694a6634ea950ea37bc7f664aa

SHA512
f3c0c56903577a16119bcc39199fb446f9463f24435a8471ad508b8280639e178962bea70880f16918f5759d55393c68ee9412769062de4899b5071bf2d6dffd

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES12Translator.dll
Filesize
379KB

MD5
413e78cd4603f4251407d30cfd504481

SHA1
d42e5ce14e38bbc62bd1d82f111efe3a7d5ad71b

SHA256
819567d94fe25e41e81c395faee4f8c97a17f0b45fcd1fc52aee436f9fb04020

SHA512
f1c162a511af04521497f19b01cfa7fd00e031141b504076da15bcd8ebc7c8ac8de7d4c5e3fcdcebe19870ca18a6f930684e0ea4cd9817821808300887166bc7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES_CM.dll
Filesize
1.0MB

MD5
b6b5ae71db9f20a36a9b3ed95dd7859b

SHA1
d815967234b86b570cfd62f94d7688a5c630ffc7

SHA256
cdaceffdbf5b32247b6a3d05d7655b9071522b7eef265ac2cad9901d2422b90c

SHA512
a0ca59c6614956aa07757db572123cbbe21e570d4b0e4704a398360ded9184a9ea44ffbf9b868736aaec35305f40540560a0638f752627beaeaf60ef7195901e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES_V2.dll
Filesize
2.7MB

MD5
646456fd231e023b5cb5a42ec198db72

SHA1
c68ced52cccea67181a8ccfbe4185cbd79f7b7ca

SHA256
326706ead22f4325b01fdc479ff94c9ec52fba57fd03717f160313ad764eff9b

SHA512
8869dba375750c30f16f78aecf106dfaaf74b1ad131022817d571c5c56929870f4e9aa904975c4eeb4242dbabf138c7da8ed708abc82835b70603e17c47548f7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll
Filesize
11KB

MD5
1fb62ef7e71b24a44ea5f07288240699

SHA1
875261b5537ed9b71a892823d4fc614cb11e8c1f

SHA256
70a4cd55e60f9dd5d047576e9cd520d37af70d74b9a71e8fa73c41475caadc9a

SHA512
3b66efe9a54d0a3140e8ae02c8632a3747bad97143428aedc263cb57e3cfa53c479b7f2824051ff7a8fd6b838032d9ae9f9704c289e79eed0d85a20a6f417e61

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll
Filesize
11KB

MD5
0fb91d94f6d006da24a3a2df6d295d81

SHA1
db8ae2c45940d10f463b6dbecd63c22acab1eee2

SHA256
e08d41881dbef8e19b9b5228938e85787292b4b6078d5384ba8e19234a0240a8

SHA512
16d16eb10031c3d27e18c2ee5a1511607f95f84c8d32e49bbacee1adb2836c067897ea25c7649d805be974ba03ff1286eb665361036fd8afd376c8edcfabd88c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll
Filesize
11KB

MD5
c1fdd419184ef1f0895e4f7282d04dc5

SHA1
42c00eee48c72bfde66bc22404cd9d2b425a800b

SHA256
e8cf51a77e7720bd8f566db0a544e3db1c96edc9a59d4f82af78b370de5891f7

SHA512
21aa4d299d4c2eab267a114644c3f99f9f51964fd89b5c17769a8f61a2b08c237e5252b77ca38f993a74cc721b1b18e702c99bdfa39e0d43d375c56f126be62c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
11KB

MD5
e46bc300bf7be7b17e16ff12d014e522

SHA1
ba16bc615c0dad61ef6efe5fd5c81cec5cfbad44

SHA256
002f6818c99efbd6aee20a1208344b87af7b61030d2a6d54b119130d60e7f51e

SHA512
f92c1055a8adabb68da533fe157f22c076da3c31d7cf645f15c019ce4c105b99933d860a80e22315377585ae5847147c48cd28c9473a184c9a2149b1d75ee1b1

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll
Filesize
14KB

MD5
e87192a43630eb1f6bdf764e57532b8b

SHA1
f9dda76d7e1acdbb3874183a9f1013b6489bd32c

SHA256
d9cd7767d160d3b548ca57a7a4d09fe29e1a2b5589f58fbcf6cb6e992f5334cf

SHA512
30e29f2ffdc47c4085ca42f438384c6826b8e70adf617ac53f6f52e2906d3a276d99efcc01bf528c27eca93276151b143e6103b974c20d801da76f291d297c4c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
7041205ea1a1d9ba68c70333086e6b48

SHA1
5034155f7ec4f91e882eae61fd3481b5a1c62eb0

SHA256
eff4703a71c42bec1166e540aea9eeaf3dc7dfcc453fedcb79c0f3b80807869d

SHA512
aea052076059a8b4230b73936ef8864eb4bb06a8534e34fe9d03cc92102dd01b0635bfce58f4e8c073f47abfd95fb19b6fbfcdaf3bc058a188665ac8d5633eb1

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll
Filesize
11KB

MD5
8fd05f79565c563a50f23b960f4d77a6

SHA1
98e5e665ef4a3dd6f149733b180c970c60932538

SHA256
3eb57cda91752a2338ee6b83b5e31347be08831d76e7010892bfd97d6ace9b73

SHA512
587a39aecb40eff8e4c58149477ebaeb16db8028d8f7bea9114d34e22cd4074718490a4e3721385995a2b477fe33894a044058880414c9a668657b90b76d464f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll
Filesize
11KB

MD5
cedbeae3cb51098d908ef3a81dc8d95c

SHA1
c43e0bf58f4f8ea903ea142b36e1cb486f64b782

SHA256
3cb281c38fa9420daedb84bc4cd0aaa958809cc0b3efe5f19842cc330a7805a0

SHA512
72e7bdf4737131046e5ef6953754be66fb7761a85e864d3f3799d510bf891093a2da45b684520e2dbce3819f2e7a6f3d6cf4f34998c28a8a8e53f86c60f3b78a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll
Filesize
11KB

MD5
13b358d9ecffb48629e83687e736b61d

SHA1
1f876f35566f0d9e254c973dbbf519004d388c8d

SHA256
1cf1b6f42985016bc2dc59744efeac49515f8ed1cc705fe3f5654d81186097cd

SHA512
08e54fa2b144d5b0da199d052896b9cf556c0d1e6f37c2ab3363be5cd3cf0a8a6422626a0643507aa851fddf3a2ea3d42a05b084badf509b35ec50cb2e0bb5ce

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll
Filesize
11KB

MD5
c9649c9873f55cb7cdc3801b30136001

SHA1
3d2730a1064acd8637bfc69f0355095e6821edfd

SHA256
d05e1bd7fa00f52214192a390d36758fa3fe605b05a890a38f785c4db7adef1f

SHA512
39497baa6301c0ad3e9e686f7dfa0e40dbea831340843417eecc23581b04972facc2b6d30173cc93bf107a42f9d5d42515ef9fd73bb17070eb6f54109dc14e3e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
11KB

MD5
bedc3d74c8a93128ef9515fd3e1d40eb

SHA1
d207c881751c540651dbdb2dbd78e7ecd871bfe1

SHA256
fefc7bc60bd8d0542ccea84c27386bc27eb93a05330e059325924cb12aaf8f32

SHA512
cdcbce2dbe134f0ab69635e4b42ef31864e99b9ab8b747fb395a2e32b926750f0dd153be410337d218554434f17e8bc2f5501f4b8a89bb3a6be7f5472fb18360

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll
Filesize
13KB

MD5
769bf2930e7b0ce2e3fb2cbc6630ba2e

SHA1
b9df24d2d37ca8b52ca7eb5c6de414cb3159488a

SHA256
d10ff3164acd8784fe8cc75f5b12f32ce85b12261adb22b8a08e9704b1e5991a

SHA512
9abdcccc8ee21b35f305a91ea001c0b8964d8475680fa95b4afbdc2d42797df543b95fc1bcd72d3d2ccc1d26dff5b3c4e91f1e66753626837602dbf73fc8369b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll
Filesize
11KB

MD5
89766e82e783facf320e6085b989d59d

SHA1
a3ffb65f0176c2889a6e4d9c7f4b09094afb87ed

SHA256
b04af86e7b16aada057a64139065df3a9b673a1a8586a386b1f2e7300c910f90

SHA512
ea4df1b2763dde578488bb8dd333be8f2b79f5277c9584d1fc8f11e9961d38767d6a2da0b7b01bad0d002d8dcf67cca1d8751a518f1ee4b9318081f8df0422c7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll
Filesize
11KB

MD5
b8bce84b33ae9f56369b3791f16a6c47

SHA1
50f14d1fe9cb653f2ed48cbb52f447bdd7ec5df4

SHA256
0af28c5c0bb1c346a22547e17a80cb17f692bf8d1e41052684fa38c3bbcbb8c8

SHA512
326092bae01d94ba05ecec0ea8a7ba03a8a83c5caf12bef88f54d075915844e298dba27012a1543047b73b6a2ae2b08478711c8b3dcc0a7f0c9ffabba5b193cf

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize
12KB

MD5
77e9c54da1436b15b15c9c7e1cedd666

SHA1
6ce4d9b3dc7859d889d4ccd1e8e128bf7ca3a360

SHA256
885bd4d193568d10dd24d104ccf92b258a9262565e0c815b01ec15a0f4c65658

SHA512
6eecf63d3df4e538e1d2a62c6266f7d677daebd20b7ce40a1894c0ebe081585e01e0c7849ccdf33dd21274e194e203e056e7103a99a3cd0172df3ed791dce1c2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
13KB

MD5
540d7c53d63c7ff3619f99f12aac0afe

SHA1
69693e13c171433306fb5c9be333d73fdf0b47ed

SHA256
3062bd1f6d52a6b830dbb591277161099dcf3c255cff31b44876076069656f36

SHA512
ce37439ce1dfb72d4366ca96368211787086948311eb731452bb453c284ccc93ccecef5c0277d4416051f4032463282173f3ec5be45e5c3249f7c7ec433f3b3e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
11KB

MD5
6486e2f519a80511ac3de235487bee79

SHA1
b43fd61e62d98eea74cf8eb54ca16c8f8e10c906

SHA256
24cc30d7a3e679989e173ddc0a9e185d6539913af589ee6683c03bf3de485667

SHA512
02331c5b15d9ee5a86a7aaf93d07f9050c9254b0cd5969d51eff329e97e29eea0cb5f2dccfe2bfa30e0e9fc4b222b89719f40a46bd762e3ff0479dbac704792c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll
Filesize
10KB

MD5
a37faea6c5149e96dc1a523a85941c37

SHA1
0286f5dafffa3cf58e38e87f0820302bcf276d79

SHA256
0e35bebd654ee0c83d70361bcaecf95c757d95209b9dbcb145590807d3ffae2e

SHA512
a88df77f3cc50d5830777b596f152503a5a826b04e35d912c979ded98dc3c055eb150049577ba6973d1e6c737d3b782655d848f3a71bd5a67aa41fc9322f832e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize
11KB

MD5
6e46e5cca4a98a53c6d2b6c272a2c3ba

SHA1
bc8f556ee4260cce00f4dc66772e21b554f793a4

SHA256
87fca6cdfa4998b0a762015b3900edf5b32b8275d08276abc0232126e00f55ce

SHA512
cfeea255c66b4394e1d53490bf264c4a17a464c74d04b0eb95f6342e45e24bbc99ff016a469f69683ce891d0663578c6d7adee1929cc272b04fcb977c673380f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll
Filesize
11KB

MD5
b72698a2b99e67083fabd7d295388800

SHA1
17647fc4f151c681a943834601c975a5db122ceb

SHA256
86d729b20a588b4c88160e38b4d234e98091e9704a689f5229574d8591cf7378

SHA512
33bdfe9ac12339e1edab7698b344ab7e0e093a31fedc697463bbe8a4180bb68b6cc711a2ceb22ce410e3c51efaa7ea800bad30a93b3ac605b24885d3ef47cb7a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll
Filesize
13KB

MD5
e1debeda8d4680931b3bb01fae0d55f0

SHA1
a26503c590956d4e2d5a42683c1c07be4b6f0ce7

SHA256
a2d22c5b4b38af981920ab57b94727ecad255a346bb85f0d0142b545393a0a2d

SHA512
a9211f5b3a1d5e42fde406aab1b2718e117bae3dd0857d4807b9e823a4523c3895cf786519d48410119d1838ab0c7307d6ef530b1159328350cc23ebc32f67cd

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll
Filesize
11KB

MD5
a639c64c03544491cd196f1ba08ae6e0

SHA1
3ee08712c85aab71cfbdb43dbef06833daa36ab2

SHA256
a4e57620f941947a570b5559ca5cce2f79e25e046fcb6519e777f32737e5fd60

SHA512
c940d1f4e41067e6d24c96687a22be1cb5ffd6b2b8959d9667ba8db91e64d777d4cd274d5877380d4cfef13f6486b4f0867af02110f96c040686cc0242d5234b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll
Filesize
12KB

MD5
56486925434ebcb5a88dd1dfa173b3d0

SHA1
f6224dd02d19debc1ecc5d4853a226b9068ae3cd

SHA256
4f008aa424a0a53a11535647a32fabb540306702040aa940fb494823303f8dce

SHA512
7bb89bd39c59090657ab91f54fb730d5f2c46b0764d32cfa68bb8e9d3284c6d755f1793c5e8722acf74eb6a39d65e6345953e6591106a13ab008dcf19863ae49

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll
Filesize
11KB

MD5
6f9f9d52087ae4d8d180954b9d42778b

SHA1
67419967a40cc82a0ca4151589677de8226f9693

SHA256
ef1d71fe621341c9751ee59e50cbec1d22947622ffaf8fb1f034c693f1091ef0

SHA512
22a0488613377746c13db9742f2e517f9e31bd563352cc394c3ae12809a22aa1961711e3c0648520e2e11f94411b82d3bb05c7ea1f4d1887aacf85045cf119d7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll
Filesize
11KB

MD5
7243d672604766e28e053af250570d55

SHA1
7d63e26ffb37bf887760dc28760d4b0873676849

SHA256
f24a6158d7083e79f94b2088b2ea4d929446c15271a41c2691b8d0679e83ef18

SHA512
05b0edf51f10db00adc81fa0e34963be1a9f5c4ca303a9c9179c8340d5d2700534c5b924005556c89c02ac598ba6c614ee8ab8415f9ad240417529e5e0f6a41b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll
Filesize
12KB

MD5
c0c8790510471f12f3c4555e5f361e8e

SHA1
7adffc87c04b7df513bb163c3fbe9231b8e6566a

SHA256
60bd8f0bd64062292eff0f5f1a91347b8d61fbe3f2e9b140112501770eae0b80

SHA512
4f71aa0942f86e86f787036dc60eaea33af0c277f03cf1e551aaaba48dad48593bcceeccc359efbf18ef99cf49f2d46b4c17159a531ffb1c3a744abce57219eb

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll
Filesize
15KB

MD5
ebac9545734cc1bec37c1c32ffaff7d8

SHA1
2b716ce57f0af28d1223f4794cc8696d49ae2f29

SHA256
d09b49f2a30dcc13b7f0de8242fa57d0bdeb22f3b7e6c224be73bc4dd98d3c26

SHA512
0396ea24a6744d48ce18f9ccb270880f74c4b6eab40f8f8baf5fd9b4ad2ac79b830f9b33c13a3fec0206a95ad3824395db6b1825302d1d401d26bdc9eef003b2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll
Filesize
11KB

MD5
c7c4a49c6ee6b1272ade4f06db2fa880

SHA1
b4b5490a51829653cb2e9e3f6fbe9caf3ba5561e

SHA256
37f731e7b1538467288bf1d0e586405b20808d4bad05e47225673661bc8b4a9f

SHA512
62ccdfac19ef4e3d378122146e8b2cba0e1db2cc050b49522bedbf763127cc2103a56c5a266e161a51d5be6bd9a47222ee8bb344b383f13d0aac0baa41eab0ff

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
13KB

MD5
bef17bf1ba00150163a2e1699ff5840a

SHA1
89145a894b17427f4cb2b4e7e814c92457fd2a75

SHA256
48c71b2d0af6807f387d97ab22a3ba77b85bdf457f8a4f03ce79d13fbb891328

SHA512
489d1b4d405edbb5f46b087a3ebf57a344bf65478b3cd5fcf273736ea6fdd33e54b1806fbb751849e160370df8354f39fc7ca7896a05b4660ad577a9e0e683e4

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll
Filesize
12KB

MD5
fbfcf220f1bf1051e82a40f349d4beae

SHA1
43154ea6705ab1c34207b66a0a544ac211c1f37d

SHA256
9b9a43b9a32a3d3c3de72b2acca41e051b1e604b45be84985b6a62fb03355e6d

SHA512
e9ab17ceb5449e8303027a08afdbdd118cb59eaea0d5173819d66d3ee01f0cd370d7230a7d609a226b186b151fe2b13e811339fa21f3ec45f843075cedc2a5c0

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll
Filesize
11KB

MD5
2c8e5e31e996e2c0664f4a945cece991

SHA1
8522c378bdd189ce03a89199dd73ed0834b2fa95

SHA256
1c556505a926fd5f713004e88d7f8d68177d7d40a406f6ed04af7bacd2264979

SHA512
14b92e32fb0fd9c50aa311f02763cba50692149283d625a78b0549b811d221331cf1b1f46d42869500622d128c627188691d7de04c500f501acd720cea7c8050

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-math-l1-1-0.dll
Filesize
20KB

MD5
77c5cc86b89eed37610b80f24e88dcc2

SHA1
d2142ecce3432b545fedc8005cc1bf08065c3119

SHA256
3e8828ab7327f26da0687f683944ffc551440a3de1004cc512f04a2f498520f6

SHA512
81de6533bba83f01fed3f7beed1d329b05772b7a13ffe395414299c62e3e6d43173762cb0b326ea7ecf0e61125901fcee7047e7a7895b750de3d714c3fe0cc67

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
19KB

MD5
4394dafed734dfe937cf6edbbb4b2f75

SHA1
06ec8f1f8dd1eab75175a359a7a5a7ee08d7a57a

SHA256
35b247534f9a19755a281e6dc3490f8197dd515f518c6550208b862c43297345

SHA512
33d9c5041e0f5b0913dd8826ceb080e2284f78164effde1dbf2c14c1234d6b9f33af6ae9f6e28527092ad8c2dbc13bddfc73a5b8c738a725ad0c6bb0aa7fcfaf

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-private-l1-1-0.dll
Filesize
60KB

MD5
18bdfd4b9e28f7eba7cbb354e9c12fcb

SHA1
26222efacb3fce1995253002c3ce294c7045cf97

SHA256
3105da41b02009383826ed70857de1a8961daeb942e9068d0357cddd939fa154

SHA512
7d27eeff41b1e30579c2a813eea8385d8a9569bc1ece5310b0a3f375fba1894028c5cec2cf204e153a50411c5dcf1992e8ac38f1c068c8f8af9bd4897c379c04

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-process-l1-1-0.dll
Filesize
12KB

MD5
7ddd5548e3c4de83d036b59dbf55867a

SHA1
e56b4d9cfca18fb29172e71546dc6ef0383ac4e9

SHA256
75f7b0937a1433ea7e7fa2904b02fd46296b31da822575c0a6bc2038805971ef

SHA512
9fb30ef628741cebbc0f80d07824e80c9c73e0e1341866f4e45dc362fea211d622aa1cffc9199be458609483f166f6c34c68b585efe196d370c100f9c7315e0d

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
15KB

MD5
a3f630a32d715214d6c46f7c87761213

SHA1
1078c77010065c933a7394d10da93bfb81be2a95

SHA256
d16db68b4020287bb6ce701b71312a9d887874c0d26b9ebd82c3c9b965029562

SHA512
920bb08310eadd7832011ac80edd3e12ce68e54e510949dbbde90adaac497debe050e2b73b9b22d9dc105386c45d558c3f9e37e1c51ed4700dd82b00e80410bc

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
17KB

MD5
c99c9eea4f83a985daf48eed9f79531b

SHA1
56486407c84beecadb88858d69300035e693d9a6

SHA256
7c416d52a7e8d6113ff85bf833cae3e11c45d1c2215b061a5bbd47432b2244a5

SHA512
78b8fd1faada381b7c4b7b6721454a19969011c1d1105fc02ba8246b477440b83dc16f0e0ce0b953a946da9d1971b65315ac29dbb6df237a11becb3d981b16b9

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-string-l1-1-0.dll
Filesize
17KB

MD5
d3d72d7f4c048d46d81a34e4186600b4

SHA1
cdcad0a3df99f9aee0f49c549758ee386a3d915f

SHA256
fd8a73640a158857dd76173c5d97ceeba190e3c3eabf39446936b24032b54116

SHA512
6bf9d2fdc5c2d8cd08bf543ef7a0cdcb69d7658a12bee5601eeb9381b11d78d3c42ef9dd7e132e37d1ec34cc3dc66df0f50aefadfdc927904b520fdc2f994f18

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-time-l1-1-0.dll
Filesize
13KB

MD5
a992f1e06c3c32ffe9799d4750af070a

SHA1
97ffd536d048720010133c3d79b6deed7fc82e58

SHA256
b401edaac4b41da73356de9b3358dc21f8b998a63413c868510dc734b1e4022f

SHA512
50bd08680fccff190454e6555e65e2787bdc0e8a9bf711e364eb0b065951c2430559e049202b8f330ac65e9d4cd588349c524a71f700e179859d7829d8e840b8

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-utility-l1-1-0.dll
Filesize
11KB

MD5
cb4a19b88bec5a8806b419cf7c828018

SHA1
2bc264e0eccb1a9d821bca82b5a5c58dc2464c5d

SHA256
97e4c91103c186517fa248772b9204acf08fde05557a19efe28d11fb0932b1f7

SHA512
381edd45ecd5d2bdefd1e3ad0c8465a32620dfa9b97717cadb6a584c9528fed0d599d5a4889962f04908ca4e2b7b4497f0e69d8481ee5f34ea5d9106d99760c3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\concrt140.dll
Filesize
336KB

MD5
65f2e5a61f39996c4df8ae70723ab1f7

SHA1
7b32055335b37d734b1ab518dcae874352cd6d5c

SHA256
8032b43bdd2f18ce7eb131e7cd542967081bea9490df08681bf805ce4f4d3aab

SHA512
0b44153ac0c49170008fb905a73b0ab3c167a75dc2f7330aed503f3c0aedfd5164a92d6f759959a11eceb69e2918cb97c571a82715ad41f6b96888d59973f822

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\crashreport.dll
Filesize
51KB

MD5
54eb1567d87a7f8d522b558befab22da

SHA1
b461e8eadbfe5a5beff264aec3bb7456524d6e9e

SHA256
fca9cd3b650bb5384a25cdcf5a3947f246b5c3d9ca81c387fe1faab2427f20d3

SHA512
b1e3b347fabf3054ec729eefa7495f775f26fb4221bebfb785076e16ea1cfcd2d3738e2851ae0c8a753861bd8bad1931108067967f20faeebe33ed9b43916b93

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\fastpipe.dll
Filesize
67KB

MD5
38a04f46d8f9d5c9c7f7ee6a7175fd4e

SHA1
f829e1b3a21d1278f9729bb739b6e8cd74bcdead

SHA256
ad34635b76825b34172af347934c831182891dc2ca6820deeb8a8bd7974c822b

SHA512
603853062cdbe8790a4c82b7cc72ee381f5566f7715085f091042731bfdab5019686f3a2a61e33675be14560f7aedf96986188bdf4f88520eee38c7452c466aa

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\dnmultiplayerex.exe
Filesize
1.7MB

MD5
d17f4553c096a1ad78848bef1bf4da53

SHA1
80482424c100c03115ccaa3121e2631eb0afc29d

SHA256
b3a94233380c2e9197e8abbd18fe896e5acc5e976c490d0c5b18ed48d1aa5b6d

SHA512
d3fe99251f344204f62113bb16b2cfaa37f9d2885255e72029b5aa7d1d7eb96e24f21c0f8efc879b232862279bbf83514a26c5194b197c0cc1bf66c829ec8045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
1KB

MD5
ba21c84dabf1aeeb9b7e405ef5322dbf

SHA1
dd38b9373b3ef51ac3cee04f5610abd587e92e2a

SHA256
b58db86c7c2c0bebfa37c1bc5130223372c1d53df20ebb7d916bcd1f9b660384

SHA512
402f4e9042e6526b1897b637d8f68e50090d410e10be6adeb28fb83ab75fe2b72b15ed73c16bf9f50e7a16a28a09902e8910dc9b1f406a2cffa4ff8eb6f64cf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
2KB

MD5
4f7cc61fc2490e7877e2369caa05273d

SHA1
5cbd0fbd747169c450e0b554fdaae1274b8c346b

SHA256
60624d5e58a7f593b5c9481c16471fe447d9752eace3883c662d079696d71f8f

SHA512
8e2ecdbccddc4cbcc19092c6ee05dac1f19f8097059a1cc35ce65033cbcd4890dea3d461942e4ec2d9ec78336edd22739f5d6f9cbd5504840f2cd032bed75e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
1f5554479485e2b5e556da8f00f9f03a

SHA1
bf96b3deccf742d7eba303c8dd786d035ac48387

SHA256
083a2aa4bec8ab72bea8f2135a5e3f832d9aebf9a4ae778d7ab27153b864a7e1

SHA512
fc516019e6586c6b59ce3e18dfc89f3f1e62a101eccbada6ea454e6d10677705823e630689462516acc69268c14a5e8581e4bf8c051fa9c8ce2f3f9af2f7884f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_B3A2491A9A3961423DD53D467E8D3BE5
Filesize
471B

MD5
3aa44e1e36de9443edae1c6d240e2368

SHA1
c68dbef5a50ff019b55329d0ef4d132e6eafd130

SHA256
d8c07be85f42ace71b4aa4f7b59f46e3573a2976cb8cdd50faec5596390c5583

SHA512
30c3ac5155cab2817b270e949eb9902acabe3625d7db6025ad3c184c326ccc06e9d6b1256e9062cc45073bd5a2b2e1ba94a443d6d9f066d3b1697e14482644fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
378f1eb217c2a1c427a39733bb6e23b6

SHA1
25feac1db145efdf3a03f2dd9a66d7514c46e15b

SHA256
e2a65d0bb8ac09a3e8b40225c48ee45064163f4f4785d10d69474c7e331821ba

SHA512
ea47ae66bebbbd1ea54be614138e8807d8a0a76890963337c11404ee612eea82619f7767ee2743f7253ac5bf72b5c4898a4965a6eed107fd652462e98a390cb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
434B

MD5
4aada59b9b3dfceb2552e2922cd5f78b

SHA1
7821e471b93201a81ffdd6970fec61769aadf7dc

SHA256
659cf5b5eead3d82e98a7ede8e3b77fcbbe7a02889d63af0cb7832917e587b46

SHA512
674f05fbadcf2926cc239967ef714d0a14b3b91d7bf42689d026a75b742fe6a47b81e5fad1a438180a14e5763272c3f46d34d88e194fd0d9bee2f019105ef2da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
91275bce86400e38af8ef0934201f05c

SHA1
6da672708de993de543ec9133f2aa229ef8e5387

SHA256
c4f116dba1a5d11e02a693852a3b0dd0d72c13f992bc1758676e9636b26f2ccd

SHA512
92be1444847bfe900ac091325425b3ba3284720effb00ae95e60d69ea5b2f14d2b65fae2cccbd4f46b4a973a70214a301db1682b64e6d200236a4b113faef6e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b296b4eaa71e56aadaf3287609523392

SHA1
65b0907b46543b5422b821bebec45e9f070eb027

SHA256
b3a39d182b803b7719b9b6c48ccec65c288bdbafac81c2dfedc8b2f5643bc1a0

SHA512
5aeaf2d591ed55a838d2ff1f4b6bdb128a827a7562127cdca40590d87235166a4a4e31c5bab2c0914a0d4ce242fdecadafdbb8371b3d78358cc52c8ac7ad4e10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3b16e8e4945482a829419cf673c8e69d

SHA1
0084e814528743783ed9a0ddf356adaf7f37e164

SHA256
2a285ef4d0de1a8513c51d1425cf87d78caaf598e07ff1422516cd073ac25daa

SHA512
2fd503e48f787a59ca5169618efc25e426c5f5ed1fa8b1f6237884a9d3a4bc9c1859ca65ee159b714670a84caa251243ed60a4ef88e1d342ebe501b45ece1e7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ef62fd937ebd1fedd652ae1ccd6581c3

SHA1
401194a855118036779b71f51f6d9959f80a0f42

SHA256
a2c130c6111b07f4320f19dbb79b60bbad221fdd5a5957fc43dd4dcd33d1f844

SHA512
5d9f46a960bb6e6991e32938033feb51504e029e346edb723031ca6367782e537186cf57a98e405a642dbb6bd2373a7127a2dc7511b0de51f78e1d2415576caf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1b9c2c58661e4fd45519c524b5e94e87

SHA1
46559007dbd34e88b0734b69d78e94308019b3f7

SHA256
0550e690e6d8d49f1f9c69d50e30b8c25eb44e57c8137dd612cb514e096bc299

SHA512
73449eb5cfdc21b8421eed3b8e2d8fe92de006a1ba8f3e0fbae460c8097fc4e5151ce20165791b0dc5ca2d167b9421b4493e7e1129c4d442128abd52925463d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5740692862ffe4769570efab83f9c7dd

SHA1
a7c5175cecef621ee54b2b094c561bc0b6145ab8

SHA256
01bcb6458b762571068bf091b227443ce5bd566d8aa7d7d4a72b0c9a593da391

SHA512
e1e7e64dcc2a939a54ddd5d9cc01f52cf36b091bf7568e52ed820ca352410478e0c3daa67a361ceaf03d0977c46c1cd589f8bdd9c495a8a36d9d7cf460350c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6be5e9db13c6305a95f7b158c00d1fbb

SHA1
99510832c6cb8105449f45eff68f14743e9dbb86

SHA256
7ef5e73c8cbea8d009cb13c87b011bfdab0772090f70ba40d444304b07e35a3b

SHA512
2867235ad849e20afc3f52a0ae28c896cd3146d7dcd584458086148c7ed3aba66438297b73895f7b22fd101bca53a480fb1b62895e68e15756d2d14dcd9171d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9da6e40b1055e2458d926ee8b99d9de9

SHA1
8e079a4f6cc7f3e37500c92183cd967ccd36f89e

SHA256
b8862621901860bfd44af481e113b0f5bc546094c817687fb1ce991a466392ea

SHA512
4f24b988ec812c33a0f665cdcca541de57b7ea5edee9d4282052f0cda8d52950381192022dd8e7cca5fc55746f984fc553c1049150d265287bdba48c89795565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bb9b795d90132afa7b42a33fc102010b

SHA1
ea286257855927283d61a939f2a0b9cb5a14d3bd

SHA256
979d67a0efc0734da588ebb3928028f130c5668cbb2b647d3daf97be8344523f

SHA512
990a9fcb3da7e526ad8094d583c25597b809127f118ccb06bf26d8e9f6d441b10006c70778fa6a8f3159dcb22cd3e007175631f9f1468cd3b432640fb9ddcd3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
92298e0f2a4c6f28b317a0fa7ba2055f

SHA1
05b7ddbe4e30022695b86426d61ec9d96214745f

SHA256
457f5ca61fd9566293917c02c06fd7fb4b361149ff7bee5bef3c237fd4dd6484

SHA512
6452041e667120254f79e439659bd6d9f773dd80f93c82bd2c2dc8259e90c2daa0f62897752c1c95fa79e812fe389dd7f08a6a7db44586c56edc7267f2b095a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9f06cf6a1db042809fcd5d9c0b561675

SHA1
b6f1ee9b9de22b70f879b7aeb58367bcf59fe696

SHA256
f1bf68480cc3e2d11112a3cf424d246750678ef2036c55950a1269c22b7cc474

SHA512
64c8918392c3deae75e7936e06cf7d2609edc20278ba96a846a84d8e7c086f33b43e9643d5d16e801159230fc747314e9698d2b3d345d0ad6b0faa0985171dec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
785ca027459ed862ddef200b822dd835

SHA1
6a8c2dd53c431b3e72a3649dcf293adadc64e9af

SHA256
c7a501efedb7603f1a4232801972d290422694c239d1cce64c8aa5e56309c268

SHA512
69a419df37e8ba8b5caabca41835088c4fdaca58bdfa27ebd8a69da43a2d92d05122a18d42a73ec4154d18dcdd984af661c4d27925fc5f5b8a121616755332bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
efb6abc546ee58f684e27fd0acad3cc0

SHA1
ec99673bc74bf4c97e970da09887f83e0d9a64c3

SHA256
fb01750c38863ef765dfc1fe37d3a1be95993d48f8d4aff46b1e1cfc6271e412

SHA512
ce19633aa8923f596f79e53e179a96ec4384e63825c6604e95f4912cb642cb33cfb1e2d6fbd4fd7a9245763f0a325469a8ad23c9578d05d291745a68958af9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8eedec4ce943b99071f9587f2cad0153

SHA1
49a22d43a0975cefedbce9d8812952ab544de354

SHA256
ba08db75f6c196af03cb8951025228030c1949d1170a447f7ddf9c3fbc15821d

SHA512
3c5e4be232165f6bf16612bf7bffb5186ec8bcb407ff82537650b923081a5a834cc754292716b748830e6f36fa51261768404c46900fe1951d9ce7c867bb7146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
12e8122a81d1bc00ae74378f90a2573a

SHA1
ceee468d27bf210f19dbcbc9edb95552a42e1973

SHA256
0a320d5128a93a6efb9c80716201c565470f83997b63c52c7ee18fa7d7f639b7

SHA512
f6c1885a8dec7481cfa4260d3d5a02599503d5febbaa01c514e26f00428168faee08cf10a252723e2d2ea67267016b2ec1bc7d0f4e86ccf355b49ac3a652652e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
56f4feb23595fdbcc1da6d6d1e374e5f

SHA1
943627a9745832e66cfe3336e0f661819d3d53ea

SHA256
191b092310713350eed2f0f67b46ca373cb8c2a17923239c5f5a880893146d7c

SHA512
5c6b60690b305ef62b850b38cd557d1febafb028010d78a4a439e4b26a685252d15c7e4f88c9661c9fc7e2a3fb54037ba2e9b6196a2245cdb134c28d3141239c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
228B

MD5
89a789845ebfdb32e4672de817124be5

SHA1
4e31c4f4858b8d98280e9628dd2615c4e0425545

SHA256
f0d08c2f3588f1047626a03c9e72dd05279e2316793444161fe50ecdcca0c468

SHA512
e7730ade213fbd65ca37c12f99e8c2ad55305b039fc2f0c7fe482956eeb1783d2b097ee54245e8d8769215f0b43d0e95d02d8ef46a8933af761989c038a7c82e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
228B

MD5
e29c963f1485564146f9daaa95f640ad

SHA1
8a96149b264f92f43f09d652bc2e86d4406af37b

SHA256
dea514f803c785f32da62302d26ae1c8e5eb4357cd5bfce3d130ab4e8803be82

SHA512
369f25f5ed23d9b484d8acac024e60bc1b36973f8eb9c8b08012b5c25bf6d6ad6e0e8e342b8880d308a18152c4f8fa12fa09e4ce4a36741fe0c67cf23593a1ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
638B

MD5
2b360a580d34f0a0a2544c961618274c

SHA1
43ba77ebfcb7824b567710d07a6abf2a53e51690

SHA256
47035eb4113255bfe3f6ae16cd32d8e04c6b393b62c1df8698e53d518d1f77e5

SHA512
f9e3165062fe0d7ef2131296d9b618c5d67ef150fbbfe40154007d4284cd5c72f2acebd0ef43b022f98eb78c3737da65298c4bf36fc1cf877000efa35b256353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
18KB

MD5
e6b5210719d65c2f55c76b072526009c

SHA1
a00c67a6df7bf43cfe0a7f4feba6f59e5ed3936a

SHA256
629df2a135952c65a735bcae74933fe31fda30d3dadbd95a203c30011f4f24fe

SHA512
90fe4802be749fe78bb5f3bd6cac823d50121febe872e9b5a687a2c817b8d3bfcfb8a034b036a47bdf4fb9f44409889ffbd0cacc878124bac09ff7062af04c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
35KB

MD5
1111e755e02d92252e272f0fa856ef21

SHA1
ce0a2cb4f753240468fd9b0d0b203c2ba594917d

SHA256
70cbf632ddb85be430683fe8b2580e5d18a22fc4ab4f4efc9b4cebefb905da5f

SHA512
650d9e4f7bfbcbc10492963c16cd02c9fc9d92d72d5360dc7bcd06f8fb4108d629ddbb3828cff185b2634724ea3d6d68b3b66186217a93269d8f2697c86ab628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
18KB

MD5
46583a05036c49e41944552fb7c44417

SHA1
9fb5b9302776ae02f71f0fd8138cda2968f661ad

SHA256
f0a692fa62201ab860032c3484e2cecf9325d9ead9604fc4a7b1efafdbff9aec

SHA512
c952c726ef17a135287e1fb878239800629b86169d4e8e3bb65c4351255d1fcd2f79f2522dd868369bb2b04e06626bb3d115dcba5020def9e555c851d5eacc3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
985B

MD5
4cf7edba377230ffbcafaf8d32d81b2a

SHA1
6da6055e27cceb662d4ad373718056c4ad34b76f

SHA256
39cc5849e12227ae829b9ff6490d25874adf71140e24b7491bc8f7375e8873c0

SHA512
84908fedf4552770335e7dfc57c6eb1ab8e516d7b37562eac990753ede44b8cc0b1c4df6c7a504300da89b4cfc122636ef74ea0efd48fe95a2fe980e4ff0b51a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
985B

MD5
b18cce0d1b0c7e0f92eb8848bd504dc2

SHA1
27fa2b46ec2fc232a3395bc3ff2afbcb65ec15c9

SHA256
a10fcc73b8f8e5da74dee7509ece5ea7c0ef2069ef73b815cf391ec176bcb66a

SHA512
3648059f629deafc5ffb0428778ec7895e795ea7e575190aa52f955d49dc82637e9fa71ddc6d0579719d66a9c1e5a005876b3272fc106030204f80dcdd451265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
985B

MD5
3db38e820e31440a97bdeb4d59cb1658

SHA1
3cf048ea1ae2dc19a70779f5b868380d1f295379

SHA256
fe750ac8bac7c0581a262f6e11b89af78044c0b40412ee9cfd058a3763a52f4f

SHA512
a4ab75bb72ce8e3f2a31e13282899578aa5bafd8d9d784e4a8df3b68851689a29ae62f5328801fbb7235091fc06d9e479d9d5e9670e87c97d84bc5809d2ec408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\U13NJ4T9\www.youtube[1].xml
Filesize
4KB

MD5
4ffeba2438a07918cc3b5a935e0a9db1

SHA1
b5e6d4d41e1ecdcf68617c6bbc67bc8a7eafed45

SHA256
2ea9cbb496e9c362f02fe4e9fdfd924bc5b4ea2b1f61e5665627b742dcd4e0c3

SHA512
e32e400e5f7eb8e7ea8176be9f99fd891868171b39285cfcbb71d14524cf6182cd05f6ab55af99187558e2a2d70505a78fa2380c1b854cb6d01437fef4df87e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\92mvs6j\imagestore.dat
Filesize
34KB

MD5
5b29f8fcb79465fa217e6ec0013d068f

SHA1
c005b5932dc4b9e70bf7d4652830e92285b4be01

SHA256
9da390d046bc2e9b8f66b56e67106ebff3facf62529bfbb05545f04f2cd3ad7f

SHA512
711cbf6f08189d03359ef99ad83662027afd7fdba4767d5f7fe3a8cdde584711fb7055bfbc88ae89dd04fd88bfed275567756f5b7ef23cda7711bc640dc8de5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G17BROQF\favicon[1].ico
Filesize
9KB

MD5
a0c760136e1b6f7633a3582f734c53eb

SHA1
00176cd4ab6423fb4673ad856e79447b93dd05fe

SHA256
c7eb5447c806948853f817df7f8a1871a8707987d5606e39b145d69f7dc29cd1

SHA512
b5f9d0e6fc9346ac34a87fc5cb42bf375a0e2d58eff5fb53dfae4a1e576940cb2f57f921be390bb66b5ebc7b174b9d88d8519a27773624f1dabc960e077ecf65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\favicon[1].ico
Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2E14.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2ED7.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFFBA3DDB731A223E8.TMP
Filesize
16KB

MD5
259cbd5205f346e686ee48909587644f

SHA1
1f08695d2e587e8dbb64c74c5f42a4fbed69295a

SHA256
365eb076e5efa0ee18d1fa6d68d3393702cf49737caf98dc08ffe33376eae4d2

SHA512
ad30e125eb98755badcc3ef6268ace53db5dd7fe2f8161c75cfdf3955a6c5c4d5bb76eb4fb6fd5f2d551309cf6a46a14c69f2c46c1b5382364c33b09577fc8b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\67M64WLQDR1EDFU6DVUD.temp
Filesize
7KB

MD5
cfd27a9a66db543ad0d72d20c97b4813

SHA1
b1ad72d4d3ae9973f98c5bc527ef6fe9969c8cfa

SHA256
3240a74df2c0124ea59c10b166d6406370632ad2204655b568a9d12dbf06aec9

SHA512
a915e200eafa8c2d20d30c7b025f9ec84c72595552e0e58eae1c55d62dc99452dfc5fd1f4880eb302376d13d114b98c195d6c30972defde880fefb923c92d5d0

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi\fonts\Roboto-Regular.otf
Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
\LDPlayer\LDPlayer9\crashreport.dll
Filesize
51KB

MD5
19dae6362eb73913f7947f719be52516

SHA1
e157307ae8e87c9a6f31bc62ecdf32d70f8648d9

SHA256
ae0eba69019294d03e11d68fea0ee72e77bfe156803f1b83bc8566a0a4d3584d

SHA512
f5eb5771eb03f7f2067e32573397814ff3ef54dc7fae0abadad6bfdcafef6a4a5bf6f3ab9874c0530cb70cb995f6716ca8fa1cba175ed5a1d298c700f6e59ad2

Download Submit
\LDPlayer\LDPlayer9\dnrepairer.exe
Filesize
41.9MB

MD5
4def56a3500d5a4dec3ff797a88c5751

SHA1
1a53c9c6f3d1e27ac8532e09f87990505c8090de

SHA256
c09b51bdc9039b976a55eb8dc7c517d65d8d5f6eadda92d2de27ceee7845b0e4

SHA512
a96322ca61f45875bfdb7b514ce1a95bbc1faba3fc0b7bc7c0af3f05d68c14e47fddff64e595f6bf053df7e1efad3e5f9e33f3bc2e09501c3c20de62864ae1d8

Download Submit
\LDPlayer\LDPlayer9\msvcp120.dll
Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
\LDPlayer\LDPlayer9\msvcr120.dll
Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
79KB

MD5
d9cb0b4a66458d85470ccf9b3575c0e7

SHA1
1572092be5489725cffbabe2f59eba094ee1d8a1

SHA256
6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05

SHA512
94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6

Download Submit
memory/1196-161-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-157-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-971-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-970-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/1196-11-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/1196-12-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

Filesize
4KB

Download
memory/1196-17-0x0000000074570000-0x0000000074586000-memory.dmp

Filesize
88KB

Download
memory/1196-16-0x0000000003250000-0x0000000003266000-memory.dmp

Filesize
88KB

Download
memory/1196-160-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-159-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

Filesize
4KB

Download
memory/1196-154-0x0000000000540000-0x0000000000584000-memory.dmp

Filesize
272KB

Download
memory/1196-155-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-156-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-158-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/2468-910-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/2468-909-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/3064-911-0x00000000054C0000-0x00000000054C2000-memory.dmp

Filesize
8KB

Download
memory/3064-901-0x0000000036F50000-0x0000000036F60000-memory.dmp

Filesize
64KB

Download
memory/3064-1484-0x000000006AD00000-0x000000006B2A6000-memory.dmp

Filesize
5.6MB

Download
memory/3064-1483-0x000000006B2B0000-0x000000006B32E000-memory.dmp

Filesize
504KB

Download
memory/3064-1482-0x000000006B330000-0x000000006CD2B000-memory.dmp

Filesize
26.0MB

Download
memory/3064-912-0x00000000054D0000-0x00000000054D2000-memory.dmp

Filesize
8KB

Download
memory/3064-1485-0x000000006AC80000-0x000000006ACFA000-memory.dmp

Filesize
488KB

Download
memory/3064-783-0x0000000000140000-0x0000000000156000-memory.dmp

Filesize
88KB

Download
memory/3064-2212-0x000000006AC80000-0x000000006ACFA000-memory.dmp

Filesize
488KB

Download
memory/3064-2211-0x000000006AD00000-0x000000006B2A6000-memory.dmp

Filesize
5.6MB

Download
memory/3064-2210-0x000000006B2B0000-0x000000006B32E000-memory.dmp

Filesize
504KB

Download
memory/3064-2209-0x000000006B330000-0x000000006CD2B000-memory.dmp

Filesize
26.0MB

Download