Analysis
-
max time kernel
132s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 04:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.ldplayer.net/download/test/ldad/LDPlayer9.exe?n=LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe
Resource
win10v2004-20240611-en
General
-
Target
https://cdn.ldplayer.net/download/test/ldad/LDPlayer9.exe?n=LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "WVTAsn1SpcIndirectDataContentEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009\FuncName = "WVTAsn1SpcLinkDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "WVTAsn1SpcLinkDecode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL" regsvr32.exe -
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 1460 takeown.exe 2996 icacls.exe 4944 takeown.exe 4356 icacls.exe 1676 takeown.exe 1556 icacls.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 16 IoCs
Processes:
LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exepid process 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 3200 LDPlayer.exe 5084 dnrepairer.exe 1420 dismhost.exe 4896 Ld9BoxSVC.exe 932 driverconfig.exe 1844 dnplayer.exe 2568 Ld9BoxSVC.exe 5152 vbox-img.exe 5520 vbox-img.exe 5632 vbox-img.exe 6020 Ld9BoxHeadless.exe 6124 Ld9BoxHeadless.exe 5456 Ld9BoxHeadless.exe 5472 Ld9BoxHeadless.exe 5648 Ld9BoxHeadless.exe -
Loads dropped DLL 64 IoCs
Processes:
LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exednrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid process 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 5084 dnrepairer.exe 5084 dnrepairer.exe 5084 dnrepairer.exe 5084 dnrepairer.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 1420 dismhost.exe 4896 Ld9BoxSVC.exe 4896 Ld9BoxSVC.exe 4896 Ld9BoxSVC.exe 4896 Ld9BoxSVC.exe 4896 Ld9BoxSVC.exe 4896 Ld9BoxSVC.exe 4896 Ld9BoxSVC.exe 4896 Ld9BoxSVC.exe 4896 Ld9BoxSVC.exe 4892 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 4892 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 4452 regsvr32.exe 1676 regsvr32.exe 1676 regsvr32.exe 1676 regsvr32.exe 1676 regsvr32.exe 1676 regsvr32.exe 1676 regsvr32.exe 1676 regsvr32.exe 1676 regsvr32.exe 3756 regsvr32.exe 3756 regsvr32.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 1460 takeown.exe 2996 icacls.exe 4944 takeown.exe 4356 icacls.exe 1676 takeown.exe 1556 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
Processes:
dnrepairer.exedescription ioc process File created C:\Program Files\ldplayer9box\SUPInstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\ldutils2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSup.sys dnrepairer.exe File created C:\Program Files\ldplayer9box\tstVBoxDbg.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\UICommon.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxManage.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\host_manager.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\capi.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxProxyStubLegacy.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\libssl-1_1.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\libOpenglRender.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-process-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\capi.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\NetFltInstall.exe dnrepairer.exe File opened for modification C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES12Translator.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\msvcp100.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\libOpenglRender2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0 dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-conio-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxStubBld.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-sysinfo-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\host_manager2.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSVC.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9VirtualBox.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxDDU.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Qt5WinExtras.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\USBUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-rtlsupport-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\loadall.cmd dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat dnrepairer.exe File created C:\Program Files\ldplayer9box\bldRTIsoMaker.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\NetFltUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\SUPUninstall.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-crt-convert-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\platforms\qminimal.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\fastpipe.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\GLES_CM.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSVGA3D.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\api-ms-win-crt-private-l1-1-0.dll dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxSDL.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\VBoxTestOGL.exe dnrepairer.exe File created C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll dnrepairer.exe -
Drops file in Windows directory 2 IoCs
Processes:
dismhost.exedism.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4048 sc.exe 1284 sc.exe 932 sc.exe 1556 sc.exe 3864 sc.exe 4840 sc.exe 1420 sc.exe 2480 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dnplayer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dnplayer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dnplayer.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3564 taskkill.exe 5048 taskkill.exe 3484 taskkill.exe 2428 taskkill.exe -
Processes:
dnplayer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" dnplayer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" dnplayer.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641093055079742" chrome.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exeLd9BoxSVC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}\NumMethods\ = "16" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\ProxyStubClsid32 Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}\ = "IExtPack" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\ = "ISessionStateChangedEvent" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}\NumMethods\ = "14" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E87-11E9-8AF2-576E84223953} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DAD4-4496-85CF-3F76BCB3B5FA}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6038-422c-b45e-6d4a0503d9f1} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DAD4-4496-85CF-3F76BCB3B5FA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-762E-4120-871C-A2014234A607}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B7DB-4616-AAC6-CFB94D89BA78}\ = "IGuestProcessInputNotifyEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\TypeLib Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\ = "IDHCPIndividualConfig" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}\ = "ISerialPort" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\NumMethods\ = "34" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\NumMethods Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ = "IMouse" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}\NumMethods Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D4FC-485F-8613-5AF88BFCFCDC}\TypeLib\Version = "1.3" Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ = "IKeyboard" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\ = "ICPUExecutionCapChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\TypeLib Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0C65-11EA-AD23-0FF257C71A7F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E72-4F34-B8F6-682785620C57}\NumMethods\ = "39" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416b-4181-8c4a-45ec95177aef} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E72-4F34-B8F6-682785620C57}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CurVer Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\NumMethods\ = "19" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\NumMethods\ = "17" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\NumMethods\ = "25" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4a9e-43f4-b7a7-54bd285e22f4} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E87-11E9-8AF2-576E84223953}\TypeLib\Version = "1.3" Ld9BoxSVC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-b4a4-44ce-85a8-127ac5eb59dc} Ld9BoxSVC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\ = "IRecordingChangedEvent" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\NumMethods regsvr32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exeLDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exechrome.exepid process 3100 chrome.exe 3100 chrome.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 3200 LDPlayer.exe 3200 LDPlayer.exe 3200 LDPlayer.exe 3200 LDPlayer.exe 3200 LDPlayer.exe 3200 LDPlayer.exe 3200 LDPlayer.exe 3200 LDPlayer.exe 5084 dnrepairer.exe 5084 dnrepairer.exe 3956 powershell.exe 3956 powershell.exe 3956 powershell.exe 1688 powershell.exe 1688 powershell.exe 1688 powershell.exe 2480 powershell.exe 2480 powershell.exe 2480 powershell.exe 3200 LDPlayer.exe 3200 LDPlayer.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 5232 msedge.exe 5232 msedge.exe 336 msedge.exe 336 msedge.exe 4464 msedge.exe 4464 msedge.exe 5708 chrome.exe 5708 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dnplayer.exepid process 1844 dnplayer.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid process 656 656 656 656 656 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
chrome.exemsedge.exepid process 3100 chrome.exe 3100 chrome.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exeLDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exedescription pid process Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeDebugPrivilege 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe Token: SeCreatePagefilePrivilege 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe Token: SeCreatePagefilePrivilege 3100 chrome.exe Token: SeShutdownPrivilege 3100 chrome.exe -
Suspicious use of FindShellTrayWindow 61 IoCs
Processes:
chrome.exednplayer.exemsedge.exepid process 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 1844 dnplayer.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe -
Suspicious use of SendNotifyMessage 49 IoCs
Processes:
chrome.exednplayer.exemsedge.exepid process 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 3100 chrome.exe 1844 dnplayer.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe 336 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exepid process 4688 LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe 3200 LDPlayer.exe 5084 dnrepairer.exe 4896 Ld9BoxSVC.exe 932 driverconfig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 3100 wrote to memory of 456 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 456 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4932 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4484 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4484 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe PID 3100 wrote to memory of 4304 3100 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.ldplayer.net/download/test/ldad/LDPlayer9.exe?n=LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff934beab58,0x7ff934beab68,0x7ff934beab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4832 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4856 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4856 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4596 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1904,i,9388022976327447924,13091679713382628274,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe"C:\Users\Admin\Downloads\LDPlayer9_ens_com.Cheatlab.Cheatlab_3040_ld.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnplayer.exe /T2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayer.exe /T2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM dnmultiplayerex.exe /T2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM bugreport.exe /T2⤵
- Kills process with taskkill
-
C:\LDPlayer\LDPlayer9\LDPlayer.exe"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=3040 -language=en -path="C:\LDPlayer\LDPlayer9\"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\LDPlayer\LDPlayer9\dnrepairer.exe"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=4592863⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\net.exe"net" start cryptsvc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start cryptsvc5⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Softpub.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Wintrust.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" Initpki.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32" Initpki.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" dssenh.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" rsaenh.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" cryptdlg.dll /s4⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\dism.exeC:\Windows\system32\dism.exe /Online /English /Get-Features4⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\dismhost.exeC:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\dismhost.exe {7D98B9AE-E8AA-485D-A9EB-437140BD5518}5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\sc.exesc query HvHost4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmms4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmcompute4⤵
- Launches sc.exe
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s4⤵
- Loads dropped DLL
-
C:\Windows\SYSTEM32\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc" start Ld9BoxSup4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\LDPlayer\LDPlayer9\driverconfig.exe"C:\LDPlayer\LDPlayer9\driverconfig.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\takeown.exe"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9240646f8,0x7ff924064708,0x7ff9240647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3464 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4408 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7425739229212215655,12067609579876754819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:13⤵
-
C:\LDPlayer\LDPlayer9\dnplayer.exe"C:\LDPlayer\LDPlayer9\\dnplayer.exe" downloadpackage=com.Cheatlab.Cheatlab|package=com.Cheatlab.Cheatlab2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sc.exesc query HvHost3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmms3⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc query vmcompute3⤵
- Launches sc.exe
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb000000003⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-0000000000003⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\vbox-img.exe"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-0000000000003⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9240646f8,0x7ff924064708,0x7ff9240647184⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x340 0x49c1⤵
-
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding1⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\LDPlayer\LDPlayer9\MSVCP120.dllFilesize
444KB
MD550260b0f19aaa7e37c4082fecef8ff41
SHA1ce672489b29baa7119881497ed5044b21ad8fe30
SHA256891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9
SHA5126f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d
-
C:\LDPlayer\LDPlayer9\MSVCR120.dllFilesize
947KB
MD550097ec217ce0ebb9b4caa09cd2cd73a
SHA18cd3018c4170072464fbcd7cba563df1fc2b884c
SHA2562a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112
SHA512ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058
-
C:\LDPlayer\LDPlayer9\crashreport.dllFilesize
51KB
MD519dae6362eb73913f7947f719be52516
SHA1e157307ae8e87c9a6f31bc62ecdf32d70f8648d9
SHA256ae0eba69019294d03e11d68fea0ee72e77bfe156803f1b83bc8566a0a4d3584d
SHA512f5eb5771eb03f7f2067e32573397814ff3ef54dc7fae0abadad6bfdcafef6a4a5bf6f3ab9874c0530cb70cb995f6716ca8fa1cba175ed5a1d298c700f6e59ad2
-
C:\LDPlayer\LDPlayer9\dnmultiplayer.exeFilesize
1.2MB
MD5330013a714c5dc0c561301adcccd8bc8
SHA1030b1d6ac68e64dec5cbb82a75938c6ce5588466
SHA256c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a
SHA5126afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1
-
C:\LDPlayer\LDPlayer9\dnplayer.exeFilesize
3.6MB
MD52061141f3c490b5b441eff06e816a6c2
SHA1d24166db06398c6e897ff662730d3d83391fdaaa
SHA2562f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0
SHA5126b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc
-
C:\LDPlayer\LDPlayer9\dnrepairer.exeFilesize
41.9MB
MD54def56a3500d5a4dec3ff797a88c5751
SHA11a53c9c6f3d1e27ac8532e09f87990505c8090de
SHA256c09b51bdc9039b976a55eb8dc7c517d65d8d5f6eadda92d2de27ceee7845b0e4
SHA512a96322ca61f45875bfdb7b514ce1a95bbc1faba3fc0b7bc7c0af3f05d68c14e47fddff64e595f6bf053df7e1efad3e5f9e33f3bc2e09501c3c20de62864ae1d8
-
C:\LDPlayer\LDPlayer9\dnresource.rccFilesize
5.0MB
MD5d4d2fd2ce9c5017b32fc054857227592
SHA17ee3b1127c892118cc98fb67b1d8a01748ca52d5
SHA256c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185
SHA512d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918
-
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otfFilesize
17.4MB
MD593b877811441a5ae311762a7cb6fb1e1
SHA1339e033fd4fbb131c2d9b964354c68cd2cf18bd1
SHA256b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b
SHA5127f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4
-
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otfFilesize
103KB
MD54acd5f0e312730f1d8b8805f3699c184
SHA167c957e102bf2b2a86c5708257bc32f91c006739
SHA25672336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5
SHA5129982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exeFilesize
652KB
MD5ad9d7cbdb4b19fb65960d69126e3ff68
SHA1dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d
SHA256a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326
SHA512f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dllFilesize
1.5MB
MD566df6f7b7a98ff750aade522c22d239a
SHA1f69464fe18ed03de597bb46482ae899f43c94617
SHA25691e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f
SHA51248d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dllFilesize
2.0MB
MD501c4246df55a5fff93d086bb56110d2b
SHA1e2939375c4dd7b478913328b88eaa3c91913cfdc
SHA256c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889
SHA51239524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dllFilesize
442KB
MD52d40f6c6a4f88c8c2685ee25b53ec00d
SHA1faf96bac1e7665aa07029d8f94e1ac84014a863b
SHA2561d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334
SHA5124e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dllFilesize
1.2MB
MD5ba46e6e1c5861617b4d97de00149b905
SHA14affc8aab49c7dc3ceeca81391c4f737d7672b32
SHA2562eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e
SHA512bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dllFilesize
192KB
MD552c43baddd43be63fbfb398722f3b01d
SHA1be1b1064fdda4dde4b72ef523b8e02c050ccd820
SHA2568c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f
SHA51204cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dllFilesize
511KB
MD5e8fd6da54f056363b284608c3f6a832e
SHA132e88b82fd398568517ab03b33e9765b59c4946d
SHA256b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd
SHA5124f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dllFilesize
522KB
MD53e29914113ec4b968ba5eb1f6d194a0a
SHA1557b67e372e85eb39989cb53cffd3ef1adabb9fe
SHA256c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
SHA51275078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dllFilesize
854KB
MD54ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA152693d4b5e0b55a929099b680348c3932f2c3c62
SHA256b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
SHA51282e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6
-
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dllFilesize
283KB
MD50054560df6c69d2067689433172088ef
SHA1a30042b77ebd7c704be0e986349030bcdb82857d
SHA25672553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750
SHA512418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0
-
C:\LDPlayer\LDPlayer9\vms\config\leidian0.configFilesize
641B
MD5b7e73878a66442125f3bf4af4d05b950
SHA17f692f9aae7a3e82c508fc286c77d4dbe3015378
SHA2560250a30af947e7358ccae164d5151cd6b5313927898a222e9ec7c57080f01ddb
SHA5126a88d3eb40e54e1d7efd93fffea74aba3c2042d41a12709a955b99cbcc5688c045862579b1f19a5029acc143b01704e10087c16db90fe5dd6618b99417f3f3aa
-
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdkFilesize
35.1MB
MD54d592fd525e977bf3d832cdb1482faa0
SHA1131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef
SHA256f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6
SHA512afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5e16c14589a2d627a4e46a29285d3a793
SHA1fe6254e2d9cee74c9ed16379354e5a58059eb0a5
SHA2566dba685988601af90c2e7e30c79c3dda4b804d954e6650793380608ffcf8eaf7
SHA512cafbf7464f469aba9758efc055232afc430114f71a5197f9c7ee359e38f6ec64557695fd05a6055a84debc28f9698e87b7de970fe6dd7bbdded34bf874ea7ebd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD560a33007100d4b942c2b0e64bc1e9373
SHA128f0f6e82cd7a54bb432ac18c5dee039fed3db9c
SHA2565a0fe59ec6e8221131b3c29ac9b86069818967b9e8a02cb129d0d5a6d5e4ab97
SHA512cae3934f1e00f98c2d3904aa70f75c0e24dc3021e295848d18cb7278784f0b02923210835ecf5dceab507f1dd3f33188441f9712ba65f429591d55609fa3ce4e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
138KB
MD53af2e4f1a413ce36a72dc4855079d185
SHA13b1ab7afe3996945232547b07f0b45203371ae0e
SHA256ffae71029fddb5fee955f48c781be63f6e204a37f52af211ad5ec7a29fe95a85
SHA512a4cd43f2e0ddb0a0aa05e91026f9a9c78f97f2bad42a6a2eb6cfc0f1e03249d31ef5b2d144cee3cd8a9ab820795b975e1a855e958be9a4a3eec6760bd0ee1a80
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53a09f853479af373691d131247040276
SHA11b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5db9081c34e133c32d02f593df88f047a
SHA1a0da007c14fd0591091924edc44bee90456700c6
SHA256c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e
SHA51212f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD560c3b2c707d5b5f1731ff26c844b915a
SHA1e4a03fab23b06424caed4e7de932ee78f0af4368
SHA256101af9bc6760c6d2fdfe01d57d4fd9254772c14a100b05f739a3c280da949a9b
SHA512e2a2c53775ad27cb0acfc555d210fb400437661e376c0e257b7fb9a4cfbaa0b91960f5663d229b89228d0a715edfe31bd970a0e398d5b137f9f3d464045cf90e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD51cb9c4f1f125737fc8f9ea189786c201
SHA17dc3d60bdd0aa6ad3f1f36eb28fe537a35c62fa6
SHA256cebd6d021d7258864e6f69a169c023da000cf72480712645a12e77243b937941
SHA5122596d21305edd1ace473430cd976f1af9219230fecfb1c26e38cbb7a5e8a17aee104fb46370180772a62bbc39877e32527c94342e60b55af723798b1a0f6bf60
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD588f41ba4b581904f8962dc112d5f85f2
SHA141292a830d373a29bd8fcbb2700c50bedd750aa5
SHA256c2002645b745b7fd83d782d037e72187ef37ee1554b5b33a19683d46cc9b47e1
SHA512a0790e81fa7699f8520f58acf267841d39e0e89ab44951815760906c7933007e5ec26284336ca70052fa977f8fd7f53a5fa0ba121fe1fc355792195a7a0274fd
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\AppxProvider.dllFilesize
554KB
MD5a7927846f2bd5e6ab6159fbe762990b1
SHA18e3b40c0783cc88765bbc02ccc781960e4592f3f
SHA256913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f
SHA5121eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\AssocProvider.dllFilesize
112KB
MD594dc379aa020d365ea5a32c4fab7f6a3
SHA17270573fd7df3f3c996a772f85915e5982ad30a1
SHA256dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907
SHA512998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\CbsProvider.dllFilesize
875KB
MD56ad0376a375e747e66f29fb7877da7d0
SHA1a0de5966453ff2c899f00f165bbff50214b5ea39
SHA2564c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f
SHA5128a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\DismCore.dllFilesize
402KB
MD5b1f793773dc727b4af1648d6d61f5602
SHA1be7ed4e121c39989f2fb343558171ef8b5f7af68
SHA256af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e
SHA51266a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\DismCorePS.dllFilesize
183KB
MD5a033f16836d6f8acbe3b27b614b51453
SHA1716297072897aea3ec985640793d2cdcbf996cf9
SHA256e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\DismHost.exeFilesize
142KB
MD5e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA5127cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\DmiProvider.dllFilesize
415KB
MD5ea8488990b95ce4ef6b4e210e0d963b2
SHA1cd8bf723aa9690b8ca9a0215321e8148626a27d1
SHA25604f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98
SHA51256562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\FfuProvider.dllFilesize
619KB
MD5df785c5e4aacaee3bd16642d91492815
SHA1286330d2ab07512e1f636b90613afcd6529ada1e
SHA25656cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271
SHA5123566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\FolderProvider.dllFilesize
59KB
MD54f3250ecb7a170a5eb18295aa768702d
SHA170eb14976ddab023f85bc778621ade1d4b5f4d9d
SHA256a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461
SHA512e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\GenericProvider.dllFilesize
149KB
MD5ef7e2760c0a24453fc78359aea3d7869
SHA10ea67f1fd29df2615da43e023e86046e8e46e2e1
SHA256d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a
SHA512be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\IBSProvider.dllFilesize
59KB
MD5120f0a2022f423fc9aadb630250f52c4
SHA1826df2b752c4f1bba60a77e2b2cf908dd01d3cf7
SHA2565425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0
SHA51223e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\ImagingProvider.dllFilesize
218KB
MD535e989a1df828378baa340f4e0b2dfcb
SHA159ecc73a0b3f55e43dace3b05ff339f24ec2c406
SHA256874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d
SHA512c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\LogProvider.dllFilesize
77KB
MD5815a4e7a7342224a239232f2c788d7c0
SHA1430b7526d864cfbd727b75738197230d148de21a
SHA256a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2
SHA5120c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\OSProvider.dllFilesize
149KB
MD5db4c3a07a1d3a45af53a4cf44ed550ad
SHA15dea737faadf0422c94f8f50e9588033d53d13b3
SHA2562165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA5125182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\dismprov.dllFilesize
255KB
MD5490be3119ea17fa29329e77b7e416e80
SHA1c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA5126339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\AppxProvider.dll.muiFilesize
22KB
MD5bd0dd9c5a602cb0ad7eabc16b3c1abfc
SHA1cede6e6a55d972c22da4bc9e0389759690e6b37f
SHA2568af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3
SHA51286351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\AssocProvider.dll.muiFilesize
8KB
MD58833761572f0964bdc1bea6e1667f458
SHA1166260a12c3399a9aa298932862569756b4ecc45
SHA256b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5
SHA5122a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\CbsProvider.dll.muiFilesize
53KB
MD56c51a3187d2464c48cc8550b141e25c5
SHA1a42e5ae0a3090b5ab4376058e506b111405d5508
SHA256d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199
SHA51287a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\DismCore.dll.muiFilesize
7KB
MD57a15f6e845f0679de593c5896fe171f9
SHA10c923dfaffb56b56cba0c28a4eacb66b1b91a1f4
SHA256f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419
SHA5125a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\DmiProvider.dll.muiFilesize
17KB
MD5b7252234aa43b7295bb62336adc1b85c
SHA1b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f
SHA25673709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c
SHA51288241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\FfuProvider.dll.muiFilesize
9KB
MD5dc826a9cb121e2142b670d0b10022e22
SHA1b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9
SHA256ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a
SHA512038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\FolderProvider.dll.muiFilesize
2KB
MD522b4a3a1ec3b6d7aa3bc61d0812dc85f
SHA197ae3504a29eb555632d124022d8406fc5b6f662
SHA256c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105
SHA5129329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\GenericProvider.dll.muiFilesize
5KB
MD5d6b02daf9583f640269b4d8b8496a5dd
SHA1e3bc2acd8e6a73b6530bc201902ab714e34b3182
SHA2569102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0
SHA512189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\IBSProvider.dll.muiFilesize
2KB
MD5d4b67a347900e29392613b5d86fe4ac2
SHA1fb84756d11bfd638c4b49268b96d0007b26ba2fb
SHA2564ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5
SHA512af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\ImagingProvider.dll.muiFilesize
18KB
MD5f2e2ba029f26341158420f3c4db9a68f
SHA11dee9d3dddb41460995ad8913ad701546be1e59d
SHA25632d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3
SHA5123d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e
-
C:\Users\Admin\AppData\Local\Temp\A4C86609-0A00-48D0-AFF0-03102F8C2139\en-US\dismprov.dll.muiFilesize
2KB
MD57d06108999cc83eb3a23eadcebb547a5
SHA1200866d87a490d17f6f8b17b26225afeb6d39446
SHA256cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311
SHA5129f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002
-
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dllFilesize
79KB
MD5d9cb0b4a66458d85470ccf9b3575c0e7
SHA11572092be5489725cffbabe2f59eba094ee1d8a1
SHA2566ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05
SHA51294937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fibvccyf.mk3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dllFilesize
73KB
MD5b001f88504c8c9973e9a3b4dc03e6d1a
SHA1a54b3046a70a4f2c792ad6a382b637b599f1dc48
SHA2568ee4cbed114a588e934b5043f95c9c06f40468c2300fa0d1d938d16c1d46a8fd
SHA512390e53be657fc35fb2e9f41b76b3b07c161a860d72445a4b1425ca973a6d8c0f32f6de6844719c6e9813e8d949ab65263642dea01c800a00285bd45595bed4d8
-
C:\Users\Admin\Downloads\Unconfirmed 982739.crdownloadFilesize
3.3MB
MD586fca06e090f8017dd323ccc516a7ed9
SHA1720fd4f4d0ac09308d19d229c8fbfde71313ce7d
SHA2565516ce5826c34dc1d89b1373f09a5eb490cf1dab55f98da02bdc53a73b772874
SHA51205f6ea47c48a2da3304a2d14a741403200ccf47e1f1b7155a2eba3fe694e4f42b8a327010fbc20b720ba06e4f84ee96b39d885989ae7cd20cc459261cd02b34b
-
C:\Windows\Logs\DISM\dism.logFilesize
236KB
MD572c143f337e3c424d61bc24d5d126cee
SHA1f3978f61d950c4250e6eac636daf5e41f83857e6
SHA256b9ca0f47590dba211e21fadd47e7d2e9f4da0da1340cfc9a4fba4da938d8decf
SHA512abb6fc46089ea3d6d60fba7193c05cdfa045e25553752d89b75015b9bf4f2a06240989b25e6282083d688cee0df3ef3218126aed5d048083b812d91f2c632dc4
-
C:\Windows\Logs\DISM\dism.logFilesize
276KB
MD5424c90ed2429e0fb0af87ec018c844fe
SHA1202126e91ae341029e429f6afb6aedfaedc63cbb
SHA25697a31dd5b22c865c82e5a07e9286f0e2f1ea7b76bdd57bfaef564590bb2bd710
SHA51281a43f89d54506b9c41c273e022e2917d2d23df3b092766b613850e3c5cb5bd03c6abbd83e1d545fa46f58fc01522acc39522dfa9e79b1fd40632b60f84aac7d
-
\??\pipe\crashpad_3100_ODGTYVQKZPPYSAXSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1688-941-0x00000000057B0000-0x0000000005B04000-memory.dmpFilesize
3.3MB
-
memory/1688-951-0x000000006EA90000-0x000000006EADC000-memory.dmpFilesize
304KB
-
memory/1844-1459-0x000000006E280000-0x000000006E826000-memory.dmpFilesize
5.6MB
-
memory/1844-1461-0x000000006E180000-0x000000006E1FA000-memory.dmpFilesize
488KB
-
memory/1844-1078-0x0000000000B70000-0x0000000000B86000-memory.dmpFilesize
88KB
-
memory/1844-1096-0x0000000037330000-0x0000000037340000-memory.dmpFilesize
64KB
-
memory/1844-1463-0x000000006BF60000-0x000000006BFB9000-memory.dmpFilesize
356KB
-
memory/1844-1462-0x000000006C780000-0x000000006E17B000-memory.dmpFilesize
26.0MB
-
memory/1844-1460-0x000000006E200000-0x000000006E27E000-memory.dmpFilesize
504KB
-
memory/2480-972-0x000000006EA90000-0x000000006EADC000-memory.dmpFilesize
304KB
-
memory/2480-962-0x0000000005670000-0x00000000059C4000-memory.dmpFilesize
3.3MB
-
memory/3956-920-0x000000006EA90000-0x000000006EADC000-memory.dmpFilesize
304KB
-
memory/3956-937-0x0000000007300000-0x000000000730E000-memory.dmpFilesize
56KB
-
memory/3956-938-0x00000000073D0000-0x00000000073EA000-memory.dmpFilesize
104KB
-
memory/3956-936-0x00000000072B0000-0x00000000072C1000-memory.dmpFilesize
68KB
-
memory/3956-935-0x0000000007330000-0x00000000073C6000-memory.dmpFilesize
600KB
-
memory/3956-903-0x0000000002470000-0x00000000024A6000-memory.dmpFilesize
216KB
-
memory/3956-904-0x00000000050A0000-0x00000000056C8000-memory.dmpFilesize
6.2MB
-
memory/3956-906-0x00000000056D0000-0x0000000005736000-memory.dmpFilesize
408KB
-
memory/3956-934-0x0000000007120000-0x000000000712A000-memory.dmpFilesize
40KB
-
memory/3956-919-0x0000000006350000-0x0000000006382000-memory.dmpFilesize
200KB
-
memory/3956-933-0x00000000070B0000-0x00000000070CA000-memory.dmpFilesize
104KB
-
memory/3956-905-0x0000000004EC0000-0x0000000004EE2000-memory.dmpFilesize
136KB
-
memory/3956-916-0x00000000058B0000-0x0000000005C04000-memory.dmpFilesize
3.3MB
-
memory/3956-917-0x0000000005D60000-0x0000000005D7E000-memory.dmpFilesize
120KB
-
memory/3956-918-0x0000000005DA0000-0x0000000005DEC000-memory.dmpFilesize
304KB
-
memory/3956-930-0x0000000006390000-0x00000000063AE000-memory.dmpFilesize
120KB
-
memory/3956-932-0x00000000076F0000-0x0000000007D6A000-memory.dmpFilesize
6.5MB
-
memory/3956-931-0x0000000006D90000-0x0000000006E33000-memory.dmpFilesize
652KB
-
memory/4688-78-0x00000000083E0000-0x0000000008472000-memory.dmpFilesize
584KB
-
memory/4688-59-0x0000000005C60000-0x0000000005C70000-memory.dmpFilesize
64KB
-
memory/4688-109-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/4688-60-0x00000000736FE000-0x00000000736FF000-memory.dmpFilesize
4KB
-
memory/4688-64-0x0000000008120000-0x0000000008136000-memory.dmpFilesize
88KB
-
memory/4688-65-0x0000000073FA0000-0x0000000073FB6000-memory.dmpFilesize
88KB
-
memory/4688-67-0x00000000086F0000-0x0000000008C94000-memory.dmpFilesize
5.6MB
-
memory/4688-1136-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/4688-81-0x0000000009750000-0x0000000009794000-memory.dmpFilesize
272KB
-
memory/4688-82-0x0000000009830000-0x00000000098CC000-memory.dmpFilesize
624KB
-
memory/4688-83-0x00000000098D0000-0x0000000009936000-memory.dmpFilesize
408KB
-
memory/4688-84-0x000000000A280000-0x000000000A7AC000-memory.dmpFilesize
5.2MB
-
memory/4688-91-0x000000000A240000-0x000000000A24A000-memory.dmpFilesize
40KB
-
memory/4688-95-0x00000000736F0000-0x0000000073EA0000-memory.dmpFilesize
7.7MB
-
memory/4688-98-0x0000000005C60000-0x0000000005C70000-memory.dmpFilesize
64KB
-
memory/4688-108-0x00000000736FE000-0x00000000736FF000-memory.dmpFilesize
4KB