5516ce5826c34dc1d89b1373f09a5eb490cf1dab55f98da02bdc53a73b772874

Analysis

max time kernel
277s
max time network
276s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ens_1111_ld.exe
Size

3.3MB
MD5

86fca06e090f8017dd323ccc516a7ed9
SHA1

720fd4f4d0ac09308d19d229c8fbfde71313ce7d
SHA256

5516ce5826c34dc1d89b1373f09a5eb490cf1dab55f98da02bdc53a73b772874
SHA512

05f6ea47c48a2da3304a2d14a741403200ccf47e1f1b7155a2eba3fe694e4f42b8a327010fbc20b720ba06e4f84ee96b39d885989ae7cd20cc459261cd02b34b
SSDEEP

49152:SLgmKyhrX/3MwVn1pHtOUYqP3CFOrtG/JR9sXafgkDFMVR9C1UhPJXMK701hOHZ4:IgmKEX/3MS1t0xOoGBiCV2H1l

Score

8^/10

discovery execution exploit persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "WVTAsn1SpcSpAgencyInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoEncode"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

280 takeown.exe
2180 icacls.exe
2044 takeown.exe
2552 icacls.exe
2572 takeown.exe
756 icacls.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

280 takeown.exe
2180 icacls.exe
2044 takeown.exe
2552 icacls.exe
2572 takeown.exe
756 icacls.exe

pid	process
280	takeown.exe
2180	icacls.exe
2044	takeown.exe
2552	icacls.exe
2572	takeown.exe
756	icacls.exe

pid	process
280	takeown.exe
2180	icacls.exe
2044	takeown.exe
2552	icacls.exe
2572	takeown.exe
756	icacls.exe

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1518.001

Processes:

LDPlayer9_ens_1111_ld.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser	LDPlayer9_ens_1111_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser	LDPlayer9_ens_1111_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser	LDPlayer9_ens_1111_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	LDPlayer9_ens_1111_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	LDPlayer9_ens_1111_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	LDPlayer9_ens_1111_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	LDPlayer9_ens_1111_ld.exe

Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

59 discord.com
60 discord.com
61 discord.com
91 discord.com
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	ioc
59	discord.com
60	discord.com
61	discord.com
91	discord.com

Drops file in Program Files directory 64 IoCs

Processes:

dnrepairer.exe

description	ioc	process
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Install.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuth.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDDU.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetDHCP.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDTrace.exe	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxCpuReport.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetFltNobj.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VirtualBox.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\Ld9BoxSup.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qoffscreen.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBUninstall.exe	dnrepairer.exe

Drops file in Windows directory 1 IoCs

Processes:

dism.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe

Executes dropped EXE 14 IoCs

Processes:

LDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exe

pid	process
2972	LDPlayer.exe
2096	dnrepairer.exe
1532	Ld9BoxSVC.exe
3020	driverconfig.exe
836	dnplayer.exe
2584	Ld9BoxSVC.exe
2296	vbox-img.exe
1764	vbox-img.exe
932	vbox-img.exe
944	Ld9BoxHeadless.exe
2208	Ld9BoxHeadless.exe
2212	Ld9BoxHeadless.exe
2164	Ld9BoxHeadless.exe
2596	Ld9BoxHeadless.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

316 sc.exe
1616 sc.exe
2028 sc.exe
1940 sc.exe
2940 sc.exe
2232 sc.exe
2716 sc.exe
2200 sc.exe

pid	process
316	sc.exe
1616	sc.exe
2028	sc.exe
1940	sc.exe
2940	sc.exe
2232	sc.exe
2716	sc.exe
2200	sc.exe

Loads dropped DLL 64 IoCs

Processes:

LDPlayer9_ens_1111_ld.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedriverconfig.exe

pid	process
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2972	LDPlayer.exe
2096	dnrepairer.exe
2096	dnrepairer.exe
2096	dnrepairer.exe
2096	dnrepairer.exe
2096	dnrepairer.exe
1532	Ld9BoxSVC.exe
1532	Ld9BoxSVC.exe
1532	Ld9BoxSVC.exe
1532	Ld9BoxSVC.exe
1532	Ld9BoxSVC.exe
1532	Ld9BoxSVC.exe
1532	Ld9BoxSVC.exe
1532	Ld9BoxSVC.exe
2868	regsvr32.exe
2868	regsvr32.exe
2868	regsvr32.exe
2868	regsvr32.exe
2868	regsvr32.exe
2868	regsvr32.exe
2868	regsvr32.exe
2868	regsvr32.exe
1804	regsvr32.exe
1804	regsvr32.exe
1804	regsvr32.exe
1804	regsvr32.exe
1804	regsvr32.exe
1804	regsvr32.exe
1804	regsvr32.exe
1804	regsvr32.exe
2212	regsvr32.exe
2212	regsvr32.exe
2212	regsvr32.exe
2212	regsvr32.exe
2212	regsvr32.exe
2212	regsvr32.exe
2212	regsvr32.exe
2212	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
1788	regsvr32.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
3020	driverconfig.exe
3020	driverconfig.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dnplayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1136 taskkill.exe
2004 taskkill.exe
772 taskkill.exe
1940 taskkill.exe

pid	process
1136	taskkill.exe
2004	taskkill.exe
772	taskkill.exe
1940	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

dnplayer.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "325"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "325"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MAIN	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6000BDF1-37BE-11EF-BF51-4E559C6B32B6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "325"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426009493"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	dnplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "115"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000a5037247a54b1e28ea48884a66aa72d5fd8809faa2b62245b10b068512f6e7b1000000000e8000000002000020000000d8eea03387faf39d41a9b5ea5b574388cddef6c4052455b8a65f940170adbf36200000001d9425cac65b5eced24a62fd7d2e0a68302078abf716001f6587c062d7378e8e4000000041ad2f85e0036e65514d7147410f979ecc71d529d4fc846063c61814c6e4579c3eedf36494f6a60a50fd38aad70743903fa1a21adf922f13154213709c6a46c4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0be4336cbcbda01	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeLd9BoxSVC.exeLDPlayer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AE84-4B8E-B0F3-5C20C35CAAC9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\NumMethods\ = "19"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\ProgId	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7966-481D-AB0B-D0ED73E28135}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7532-45E8-96DA-EB5986AE76E4}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\ = "IMousePointerShape"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}\ = "IEventSourceChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\NumMethods\ = "31"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ldmnq.apk\Shell\Open\Command\ = "C:\\LDPlayer\\LDPlayer9\\dnplayer.exe apk=%1"	LDPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-2354-4267-883F-2F417D216519}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}\ = "IDHCPGlobalConfig"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8384-11e9-921d-8b984e28a686}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5A1D-43F1-6F27-6A0DB298A9A8}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1207-4179-94CF-CA250036308F}\ = "IGuestFileOffsetChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\ = "ISnapshotDeletedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ = "IGuestMonitorChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-800A-40F8-87A6-170D02249A55}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-8084-11E9-B185-DBE296E54799}\NumMethods\ = "9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\ = "IGuestScreenInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\ = "IRangedIntegerFormValue"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5FDC-4ABA-AFF5-6A39BBD7C38B}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7532-45E8-96DA-EB5986AE76E4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4289-ef4e-8e6a-e5b07816b631}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\NumMethods\ = "82"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\ = "IGuestDirectory"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-7708-444B-9EEF-C116CE423D39}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-00C2-4484-0077-C057003D9C90}\ = "IInternalMachineControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods\ = "16"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34b8-42d3-acfb-7e96daf77c22}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\NumMethods\ = "26"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-be30-49c0-b315-e9749e1bded1}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0979-486C-BAA1-3ABB144DC82D}\ = "IGuestFileStateChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486E-472F-481B-969746AF2480}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6B76-4805-8FAB-00A9DCF4732B}\ = "IFramebufferOverlay"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F7B7-4B05-900E-2A9253C00F51}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}\TypeLib	Ld9BoxSVC.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

LDPlayer9_ens_1111_ld.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	LDPlayer9_ens_1111_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer9_ens_1111_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer9_ens_1111_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer9_ens_1111_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	LDPlayer9_ens_1111_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer9_ens_1111_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer9_ens_1111_ld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	LDPlayer9_ens_1111_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer9_ens_1111_ld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	LDPlayer9_ens_1111_ld.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

LDPlayer9_ens_1111_ld.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exe

pid	process
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2992	LDPlayer9_ens_1111_ld.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2972	LDPlayer.exe
2096	dnrepairer.exe
3000	powershell.exe
2380	powershell.exe
2692	powershell.exe
2972	LDPlayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dnplayer.exe

pid process

836 dnplayer.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

472
472
472
472
472
472

pid	process
836	dnplayer.exe

pid	process
472
472
472
472
472
472

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer9_ens_1111_ld.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exe

description	pid	process
Token: SeDebugPrivilege	2992	LDPlayer9_ens_1111_ld.exe
Token: SeShutdownPrivilege	2992	LDPlayer9_ens_1111_ld.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeTakeOwnershipPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe
Token: SeDebugPrivilege	2972	LDPlayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exednplayer.exe

pid process

2396 iexplore.exe
836 dnplayer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

dnplayer.exe

pid process

836 dnplayer.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

2396 iexplore.exe
2396 iexplore.exe
2080 IEXPLORE.EXE
2080 IEXPLORE.EXE
2080 IEXPLORE.EXE
2080 IEXPLORE.EXE
600 IEXPLORE.EXE
600 IEXPLORE.EXE

pid	process
2396	iexplore.exe
836	dnplayer.exe

pid	process
836	dnplayer.exe

pid	process
2396	iexplore.exe
2396	iexplore.exe
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
600	IEXPLORE.EXE
600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LDPlayer9_ens_1111_ld.exeLDPlayer.exednrepairer.exenet.exe

description	pid	process	target process
PID 2992 wrote to memory of 1136	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 1136	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 1136	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 1136	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 2004	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 2004	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 2004	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 2004	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 772	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 772	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 772	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 772	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 1940	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 1940	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 1940	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 1940	2992	LDPlayer9_ens_1111_ld.exe	taskkill.exe
PID 2992 wrote to memory of 2972	2992	LDPlayer9_ens_1111_ld.exe	LDPlayer.exe
PID 2992 wrote to memory of 2972	2992	LDPlayer9_ens_1111_ld.exe	LDPlayer.exe
PID 2992 wrote to memory of 2972	2992	LDPlayer9_ens_1111_ld.exe	LDPlayer.exe
PID 2992 wrote to memory of 2972	2992	LDPlayer9_ens_1111_ld.exe	LDPlayer.exe
PID 2972 wrote to memory of 2096	2972	LDPlayer.exe	dnrepairer.exe
PID 2972 wrote to memory of 2096	2972	LDPlayer.exe	dnrepairer.exe
PID 2972 wrote to memory of 2096	2972	LDPlayer.exe	dnrepairer.exe
PID 2972 wrote to memory of 2096	2972	LDPlayer.exe	dnrepairer.exe
PID 2096 wrote to memory of 532	2096	dnrepairer.exe	net.exe
PID 2096 wrote to memory of 532	2096	dnrepairer.exe	net.exe
PID 2096 wrote to memory of 532	2096	dnrepairer.exe	net.exe
PID 2096 wrote to memory of 532	2096	dnrepairer.exe	net.exe
PID 532 wrote to memory of 2976	532	net.exe	net1.exe
PID 532 wrote to memory of 2976	532	net.exe	net1.exe
PID 532 wrote to memory of 2976	532	net.exe	net1.exe
PID 532 wrote to memory of 2976	532	net.exe	net1.exe
PID 2096 wrote to memory of 1488	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1488	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1488	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1488	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1488	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1488	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1488	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2440	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2440	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2440	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2440	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2440	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2440	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2440	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1276	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1276	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1276	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1276	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1276	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1276	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1276	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1132	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1132	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1132	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1132	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1132	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1132	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 1132	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2188	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2188	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2188	2096	dnrepairer.exe	regsvr32.exe
PID 2096 wrote to memory of 2188	2096	dnrepairer.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1111_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_1111_ld.exe"
1⤵
- Checks for any installed AV software in registry
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1111 -language=en -path="C:\LDPlayer\LDPlayer9\"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=197092
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
4⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
5⤵
PID:2976

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
4⤵
- Manipulates Digital Signatures
PID:1488

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
4⤵
- Manipulates Digital Signatures
PID:2440

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
4⤵
PID:1276

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
4⤵
PID:1132

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
4⤵
PID:2188

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
4⤵
PID:1336

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
4⤵
- Manipulates Digital Signatures
PID:1080

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:280

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2180

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2044

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2552

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
4⤵
- Drops file in Windows directory
PID:1348

C:\Windows\SysWOW64\sc.exe
sc query HvHost
4⤵
- Launches sc.exe
PID:1616

C:\Windows\SysWOW64\sc.exe
sc query vmms
4⤵
- Launches sc.exe
PID:2028

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
4⤵
- Launches sc.exe
PID:1940

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532

C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
4⤵
- Loads dropped DLL
PID:2868

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
4⤵
- Loads dropped DLL
PID:1804

C:\Windows\system32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2212

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1788

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
4⤵
- Launches sc.exe
PID:2940

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
4⤵
- Launches sc.exe
PID:2232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020

C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2572

C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/4bUcwDd53d
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:734214 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:600

C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\dnplayer.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:836

C:\Windows\SysWOW64\sc.exe
sc query HvHost
3⤵
- Launches sc.exe
PID:2716

C:\Windows\SysWOW64\sc.exe
sc query vmms
3⤵
- Launches sc.exe
PID:2200

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
3⤵
- Launches sc.exe
PID:316

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
3⤵
- Executes dropped EXE
PID:2296

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
3⤵
- Executes dropped EXE
PID:1764

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
3⤵
- Executes dropped EXE
PID:932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
PID:2792

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2584

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:944

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2208

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2212

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2164

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Install Root Certificate

T1553.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCP120.dll
Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll
Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
Filesize
1.2MB

MD5
330013a714c5dc0c561301adcccd8bc8

SHA1
030b1d6ac68e64dec5cbb82a75938c6ce5588466

SHA256
c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a

SHA512
6afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe
Filesize
3.6MB

MD5
2061141f3c490b5b441eff06e816a6c2

SHA1
d24166db06398c6e897ff662730d3d83391fdaaa

SHA256
2f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0

SHA512
6b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc
Filesize
5.0MB

MD5
d4d2fd2ce9c5017b32fc054857227592

SHA1
7ee3b1127c892118cc98fb67b1d8a01748ca52d5

SHA256
c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185

SHA512
d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\EGL.dll
Filesize
532KB

MD5
ef46946bf30878e9ecf2044feefe7761

SHA1
873bd7311fd58de541d64955579ac1e3935e593e

SHA256
a788ce50d0e0bfa2d49027c91f0260d4a17491694a6634ea950ea37bc7f664aa

SHA512
f3c0c56903577a16119bcc39199fb446f9463f24435a8471ad508b8280639e178962bea70880f16918f5759d55393c68ee9412769062de4899b5071bf2d6dffd

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\GLES12Translator.dll
Filesize
379KB

MD5
413e78cd4603f4251407d30cfd504481

SHA1
d42e5ce14e38bbc62bd1d82f111efe3a7d5ad71b

SHA256
819567d94fe25e41e81c395faee4f8c97a17f0b45fcd1fc52aee436f9fb04020

SHA512
f1c162a511af04521497f19b01cfa7fd00e031141b504076da15bcd8ebc7c8ac8de7d4c5e3fcdcebe19870ca18a6f930684e0ea4cd9817821808300887166bc7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-console-l1-1-0.dll
Filesize
11KB

MD5
1fb62ef7e71b24a44ea5f07288240699

SHA1
875261b5537ed9b71a892823d4fc614cb11e8c1f

SHA256
70a4cd55e60f9dd5d047576e9cd520d37af70d74b9a71e8fa73c41475caadc9a

SHA512
3b66efe9a54d0a3140e8ae02c8632a3747bad97143428aedc263cb57e3cfa53c479b7f2824051ff7a8fd6b838032d9ae9f9704c289e79eed0d85a20a6f417e61

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-datetime-l1-1-0.dll
Filesize
11KB

MD5
0fb91d94f6d006da24a3a2df6d295d81

SHA1
db8ae2c45940d10f463b6dbecd63c22acab1eee2

SHA256
e08d41881dbef8e19b9b5228938e85787292b4b6078d5384ba8e19234a0240a8

SHA512
16d16eb10031c3d27e18c2ee5a1511607f95f84c8d32e49bbacee1adb2836c067897ea25c7649d805be974ba03ff1286eb665361036fd8afd376c8edcfabd88c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-debug-l1-1-0.dll
Filesize
11KB

MD5
c1fdd419184ef1f0895e4f7282d04dc5

SHA1
42c00eee48c72bfde66bc22404cd9d2b425a800b

SHA256
e8cf51a77e7720bd8f566db0a544e3db1c96edc9a59d4f82af78b370de5891f7

SHA512
21aa4d299d4c2eab267a114644c3f99f9f51964fd89b5c17769a8f61a2b08c237e5252b77ca38f993a74cc721b1b18e702c99bdfa39e0d43d375c56f126be62c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
11KB

MD5
e46bc300bf7be7b17e16ff12d014e522

SHA1
ba16bc615c0dad61ef6efe5fd5c81cec5cfbad44

SHA256
002f6818c99efbd6aee20a1208344b87af7b61030d2a6d54b119130d60e7f51e

SHA512
f92c1055a8adabb68da533fe157f22c076da3c31d7cf645f15c019ce4c105b99933d860a80e22315377585ae5847147c48cd28c9473a184c9a2149b1d75ee1b1

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-1-0.dll
Filesize
14KB

MD5
e87192a43630eb1f6bdf764e57532b8b

SHA1
f9dda76d7e1acdbb3874183a9f1013b6489bd32c

SHA256
d9cd7767d160d3b548ca57a7a4d09fe29e1a2b5589f58fbcf6cb6e992f5334cf

SHA512
30e29f2ffdc47c4085ca42f438384c6826b8e70adf617ac53f6f52e2906d3a276d99efcc01bf528c27eca93276151b143e6103b974c20d801da76f291d297c4c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
7041205ea1a1d9ba68c70333086e6b48

SHA1
5034155f7ec4f91e882eae61fd3481b5a1c62eb0

SHA256
eff4703a71c42bec1166e540aea9eeaf3dc7dfcc453fedcb79c0f3b80807869d

SHA512
aea052076059a8b4230b73936ef8864eb4bb06a8534e34fe9d03cc92102dd01b0635bfce58f4e8c073f47abfd95fb19b6fbfcdaf3bc058a188665ac8d5633eb1

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-file-l2-1-0.dll
Filesize
11KB

MD5
8fd05f79565c563a50f23b960f4d77a6

SHA1
98e5e665ef4a3dd6f149733b180c970c60932538

SHA256
3eb57cda91752a2338ee6b83b5e31347be08831d76e7010892bfd97d6ace9b73

SHA512
587a39aecb40eff8e4c58149477ebaeb16db8028d8f7bea9114d34e22cd4074718490a4e3721385995a2b477fe33894a044058880414c9a668657b90b76d464f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-handle-l1-1-0.dll
Filesize
11KB

MD5
cedbeae3cb51098d908ef3a81dc8d95c

SHA1
c43e0bf58f4f8ea903ea142b36e1cb486f64b782

SHA256
3cb281c38fa9420daedb84bc4cd0aaa958809cc0b3efe5f19842cc330a7805a0

SHA512
72e7bdf4737131046e5ef6953754be66fb7761a85e864d3f3799d510bf891093a2da45b684520e2dbce3819f2e7a6f3d6cf4f34998c28a8a8e53f86c60f3b78a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-heap-l1-1-0.dll
Filesize
11KB

MD5
13b358d9ecffb48629e83687e736b61d

SHA1
1f876f35566f0d9e254c973dbbf519004d388c8d

SHA256
1cf1b6f42985016bc2dc59744efeac49515f8ed1cc705fe3f5654d81186097cd

SHA512
08e54fa2b144d5b0da199d052896b9cf556c0d1e6f37c2ab3363be5cd3cf0a8a6422626a0643507aa851fddf3a2ea3d42a05b084badf509b35ec50cb2e0bb5ce

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-interlocked-l1-1-0.dll
Filesize
11KB

MD5
c9649c9873f55cb7cdc3801b30136001

SHA1
3d2730a1064acd8637bfc69f0355095e6821edfd

SHA256
d05e1bd7fa00f52214192a390d36758fa3fe605b05a890a38f785c4db7adef1f

SHA512
39497baa6301c0ad3e9e686f7dfa0e40dbea831340843417eecc23581b04972facc2b6d30173cc93bf107a42f9d5d42515ef9fd73bb17070eb6f54109dc14e3e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
11KB

MD5
bedc3d74c8a93128ef9515fd3e1d40eb

SHA1
d207c881751c540651dbdb2dbd78e7ecd871bfe1

SHA256
fefc7bc60bd8d0542ccea84c27386bc27eb93a05330e059325924cb12aaf8f32

SHA512
cdcbce2dbe134f0ab69635e4b42ef31864e99b9ab8b747fb395a2e32b926750f0dd153be410337d218554434f17e8bc2f5501f4b8a89bb3a6be7f5472fb18360

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-localization-l1-2-0.dll
Filesize
13KB

MD5
769bf2930e7b0ce2e3fb2cbc6630ba2e

SHA1
b9df24d2d37ca8b52ca7eb5c6de414cb3159488a

SHA256
d10ff3164acd8784fe8cc75f5b12f32ce85b12261adb22b8a08e9704b1e5991a

SHA512
9abdcccc8ee21b35f305a91ea001c0b8964d8475680fa95b4afbdc2d42797df543b95fc1bcd72d3d2ccc1d26dff5b3c4e91f1e66753626837602dbf73fc8369b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-memory-l1-1-0.dll
Filesize
11KB

MD5
89766e82e783facf320e6085b989d59d

SHA1
a3ffb65f0176c2889a6e4d9c7f4b09094afb87ed

SHA256
b04af86e7b16aada057a64139065df3a9b673a1a8586a386b1f2e7300c910f90

SHA512
ea4df1b2763dde578488bb8dd333be8f2b79f5277c9584d1fc8f11e9961d38767d6a2da0b7b01bad0d002d8dcf67cca1d8751a518f1ee4b9318081f8df0422c7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-namedpipe-l1-1-0.dll
Filesize
11KB

MD5
b8bce84b33ae9f56369b3791f16a6c47

SHA1
50f14d1fe9cb653f2ed48cbb52f447bdd7ec5df4

SHA256
0af28c5c0bb1c346a22547e17a80cb17f692bf8d1e41052684fa38c3bbcbb8c8

SHA512
326092bae01d94ba05ecec0ea8a7ba03a8a83c5caf12bef88f54d075915844e298dba27012a1543047b73b6a2ae2b08478711c8b3dcc0a7f0c9ffabba5b193cf

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize
12KB

MD5
77e9c54da1436b15b15c9c7e1cedd666

SHA1
6ce4d9b3dc7859d889d4ccd1e8e128bf7ca3a360

SHA256
885bd4d193568d10dd24d104ccf92b258a9262565e0c815b01ec15a0f4c65658

SHA512
6eecf63d3df4e538e1d2a62c6266f7d677daebd20b7ce40a1894c0ebe081585e01e0c7849ccdf33dd21274e194e203e056e7103a99a3cd0172df3ed791dce1c2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
13KB

MD5
540d7c53d63c7ff3619f99f12aac0afe

SHA1
69693e13c171433306fb5c9be333d73fdf0b47ed

SHA256
3062bd1f6d52a6b830dbb591277161099dcf3c255cff31b44876076069656f36

SHA512
ce37439ce1dfb72d4366ca96368211787086948311eb731452bb453c284ccc93ccecef5c0277d4416051f4032463282173f3ec5be45e5c3249f7c7ec433f3b3e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
11KB

MD5
6486e2f519a80511ac3de235487bee79

SHA1
b43fd61e62d98eea74cf8eb54ca16c8f8e10c906

SHA256
24cc30d7a3e679989e173ddc0a9e185d6539913af589ee6683c03bf3de485667

SHA512
02331c5b15d9ee5a86a7aaf93d07f9050c9254b0cd5969d51eff329e97e29eea0cb5f2dccfe2bfa30e0e9fc4b222b89719f40a46bd762e3ff0479dbac704792c

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-profile-l1-1-0.dll
Filesize
10KB

MD5
a37faea6c5149e96dc1a523a85941c37

SHA1
0286f5dafffa3cf58e38e87f0820302bcf276d79

SHA256
0e35bebd654ee0c83d70361bcaecf95c757d95209b9dbcb145590807d3ffae2e

SHA512
a88df77f3cc50d5830777b596f152503a5a826b04e35d912c979ded98dc3c055eb150049577ba6973d1e6c737d3b782655d848f3a71bd5a67aa41fc9322f832e

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize
11KB

MD5
6e46e5cca4a98a53c6d2b6c272a2c3ba

SHA1
bc8f556ee4260cce00f4dc66772e21b554f793a4

SHA256
87fca6cdfa4998b0a762015b3900edf5b32b8275d08276abc0232126e00f55ce

SHA512
cfeea255c66b4394e1d53490bf264c4a17a464c74d04b0eb95f6342e45e24bbc99ff016a469f69683ce891d0663578c6d7adee1929cc272b04fcb977c673380f

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-string-l1-1-0.dll
Filesize
11KB

MD5
b72698a2b99e67083fabd7d295388800

SHA1
17647fc4f151c681a943834601c975a5db122ceb

SHA256
86d729b20a588b4c88160e38b4d234e98091e9704a689f5229574d8591cf7378

SHA512
33bdfe9ac12339e1edab7698b344ab7e0e093a31fedc697463bbe8a4180bb68b6cc711a2ceb22ce410e3c51efaa7ea800bad30a93b3ac605b24885d3ef47cb7a

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-1-0.dll
Filesize
13KB

MD5
e1debeda8d4680931b3bb01fae0d55f0

SHA1
a26503c590956d4e2d5a42683c1c07be4b6f0ce7

SHA256
a2d22c5b4b38af981920ab57b94727ecad255a346bb85f0d0142b545393a0a2d

SHA512
a9211f5b3a1d5e42fde406aab1b2718e117bae3dd0857d4807b9e823a4523c3895cf786519d48410119d1838ab0c7307d6ef530b1159328350cc23ebc32f67cd

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-synch-l1-2-0.dll
Filesize
11KB

MD5
a639c64c03544491cd196f1ba08ae6e0

SHA1
3ee08712c85aab71cfbdb43dbef06833daa36ab2

SHA256
a4e57620f941947a570b5559ca5cce2f79e25e046fcb6519e777f32737e5fd60

SHA512
c940d1f4e41067e6d24c96687a22be1cb5ffd6b2b8959d9667ba8db91e64d777d4cd274d5877380d4cfef13f6486b4f0867af02110f96c040686cc0242d5234b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-sysinfo-l1-1-0.dll
Filesize
12KB

MD5
56486925434ebcb5a88dd1dfa173b3d0

SHA1
f6224dd02d19debc1ecc5d4853a226b9068ae3cd

SHA256
4f008aa424a0a53a11535647a32fabb540306702040aa940fb494823303f8dce

SHA512
7bb89bd39c59090657ab91f54fb730d5f2c46b0764d32cfa68bb8e9d3284c6d755f1793c5e8722acf74eb6a39d65e6345953e6591106a13ab008dcf19863ae49

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-timezone-l1-1-0.dll
Filesize
11KB

MD5
6f9f9d52087ae4d8d180954b9d42778b

SHA1
67419967a40cc82a0ca4151589677de8226f9693

SHA256
ef1d71fe621341c9751ee59e50cbec1d22947622ffaf8fb1f034c693f1091ef0

SHA512
22a0488613377746c13db9742f2e517f9e31bd563352cc394c3ae12809a22aa1961711e3c0648520e2e11f94411b82d3bb05c7ea1f4d1887aacf85045cf119d7

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-core-util-l1-1-0.dll
Filesize
11KB

MD5
7243d672604766e28e053af250570d55

SHA1
7d63e26ffb37bf887760dc28760d4b0873676849

SHA256
f24a6158d7083e79f94b2088b2ea4d929446c15271a41c2691b8d0679e83ef18

SHA512
05b0edf51f10db00adc81fa0e34963be1a9f5c4ca303a9c9179c8340d5d2700534c5b924005556c89c02ac598ba6c614ee8ab8415f9ad240417529e5e0f6a41b

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-conio-l1-1-0.dll
Filesize
12KB

MD5
c0c8790510471f12f3c4555e5f361e8e

SHA1
7adffc87c04b7df513bb163c3fbe9231b8e6566a

SHA256
60bd8f0bd64062292eff0f5f1a91347b8d61fbe3f2e9b140112501770eae0b80

SHA512
4f71aa0942f86e86f787036dc60eaea33af0c277f03cf1e551aaaba48dad48593bcceeccc359efbf18ef99cf49f2d46b4c17159a531ffb1c3a744abce57219eb

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-convert-l1-1-0.dll
Filesize
15KB

MD5
ebac9545734cc1bec37c1c32ffaff7d8

SHA1
2b716ce57f0af28d1223f4794cc8696d49ae2f29

SHA256
d09b49f2a30dcc13b7f0de8242fa57d0bdeb22f3b7e6c224be73bc4dd98d3c26

SHA512
0396ea24a6744d48ce18f9ccb270880f74c4b6eab40f8f8baf5fd9b4ad2ac79b830f9b33c13a3fec0206a95ad3824395db6b1825302d1d401d26bdc9eef003b2

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-environment-l1-1-0.dll
Filesize
11KB

MD5
c7c4a49c6ee6b1272ade4f06db2fa880

SHA1
b4b5490a51829653cb2e9e3f6fbe9caf3ba5561e

SHA256
37f731e7b1538467288bf1d0e586405b20808d4bad05e47225673661bc8b4a9f

SHA512
62ccdfac19ef4e3d378122146e8b2cba0e1db2cc050b49522bedbf763127cc2103a56c5a266e161a51d5be6bd9a47222ee8bb344b383f13d0aac0baa41eab0ff

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
13KB

MD5
bef17bf1ba00150163a2e1699ff5840a

SHA1
89145a894b17427f4cb2b4e7e814c92457fd2a75

SHA256
48c71b2d0af6807f387d97ab22a3ba77b85bdf457f8a4f03ce79d13fbb891328

SHA512
489d1b4d405edbb5f46b087a3ebf57a344bf65478b3cd5fcf273736ea6fdd33e54b1806fbb751849e160370df8354f39fc7ca7896a05b4660ad577a9e0e683e4

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-heap-l1-1-0.dll
Filesize
12KB

MD5
fbfcf220f1bf1051e82a40f349d4beae

SHA1
43154ea6705ab1c34207b66a0a544ac211c1f37d

SHA256
9b9a43b9a32a3d3c3de72b2acca41e051b1e604b45be84985b6a62fb03355e6d

SHA512
e9ab17ceb5449e8303027a08afdbdd118cb59eaea0d5173819d66d3ee01f0cd370d7230a7d609a226b186b151fe2b13e811339fa21f3ec45f843075cedc2a5c0

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-locale-l1-1-0.dll
Filesize
11KB

MD5
2c8e5e31e996e2c0664f4a945cece991

SHA1
8522c378bdd189ce03a89199dd73ed0834b2fa95

SHA256
1c556505a926fd5f713004e88d7f8d68177d7d40a406f6ed04af7bacd2264979

SHA512
14b92e32fb0fd9c50aa311f02763cba50692149283d625a78b0549b811d221331cf1b1f46d42869500622d128c627188691d7de04c500f501acd720cea7c8050

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-math-l1-1-0.dll
Filesize
20KB

MD5
77c5cc86b89eed37610b80f24e88dcc2

SHA1
d2142ecce3432b545fedc8005cc1bf08065c3119

SHA256
3e8828ab7327f26da0687f683944ffc551440a3de1004cc512f04a2f498520f6

SHA512
81de6533bba83f01fed3f7beed1d329b05772b7a13ffe395414299c62e3e6d43173762cb0b326ea7ecf0e61125901fcee7047e7a7895b750de3d714c3fe0cc67

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
19KB

MD5
4394dafed734dfe937cf6edbbb4b2f75

SHA1
06ec8f1f8dd1eab75175a359a7a5a7ee08d7a57a

SHA256
35b247534f9a19755a281e6dc3490f8197dd515f518c6550208b862c43297345

SHA512
33d9c5041e0f5b0913dd8826ceb080e2284f78164effde1dbf2c14c1234d6b9f33af6ae9f6e28527092ad8c2dbc13bddfc73a5b8c738a725ad0c6bb0aa7fcfaf

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-private-l1-1-0.dll
Filesize
60KB

MD5
18bdfd4b9e28f7eba7cbb354e9c12fcb

SHA1
26222efacb3fce1995253002c3ce294c7045cf97

SHA256
3105da41b02009383826ed70857de1a8961daeb942e9068d0357cddd939fa154

SHA512
7d27eeff41b1e30579c2a813eea8385d8a9569bc1ece5310b0a3f375fba1894028c5cec2cf204e153a50411c5dcf1992e8ac38f1c068c8f8af9bd4897c379c04

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-process-l1-1-0.dll
Filesize
12KB

MD5
7ddd5548e3c4de83d036b59dbf55867a

SHA1
e56b4d9cfca18fb29172e71546dc6ef0383ac4e9

SHA256
75f7b0937a1433ea7e7fa2904b02fd46296b31da822575c0a6bc2038805971ef

SHA512
9fb30ef628741cebbc0f80d07824e80c9c73e0e1341866f4e45dc362fea211d622aa1cffc9199be458609483f166f6c34c68b585efe196d370c100f9c7315e0d

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
15KB

MD5
a3f630a32d715214d6c46f7c87761213

SHA1
1078c77010065c933a7394d10da93bfb81be2a95

SHA256
d16db68b4020287bb6ce701b71312a9d887874c0d26b9ebd82c3c9b965029562

SHA512
920bb08310eadd7832011ac80edd3e12ce68e54e510949dbbde90adaac497debe050e2b73b9b22d9dc105386c45d558c3f9e37e1c51ed4700dd82b00e80410bc

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
17KB

MD5
c99c9eea4f83a985daf48eed9f79531b

SHA1
56486407c84beecadb88858d69300035e693d9a6

SHA256
7c416d52a7e8d6113ff85bf833cae3e11c45d1c2215b061a5bbd47432b2244a5

SHA512
78b8fd1faada381b7c4b7b6721454a19969011c1d1105fc02ba8246b477440b83dc16f0e0ce0b953a946da9d1971b65315ac29dbb6df237a11becb3d981b16b9

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-string-l1-1-0.dll
Filesize
17KB

MD5
d3d72d7f4c048d46d81a34e4186600b4

SHA1
cdcad0a3df99f9aee0f49c549758ee386a3d915f

SHA256
fd8a73640a158857dd76173c5d97ceeba190e3c3eabf39446936b24032b54116

SHA512
6bf9d2fdc5c2d8cd08bf543ef7a0cdcb69d7658a12bee5601eeb9381b11d78d3c42ef9dd7e132e37d1ec34cc3dc66df0f50aefadfdc927904b520fdc2f994f18

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-time-l1-1-0.dll
Filesize
13KB

MD5
a992f1e06c3c32ffe9799d4750af070a

SHA1
97ffd536d048720010133c3d79b6deed7fc82e58

SHA256
b401edaac4b41da73356de9b3358dc21f8b998a63413c868510dc734b1e4022f

SHA512
50bd08680fccff190454e6555e65e2787bdc0e8a9bf711e364eb0b065951c2430559e049202b8f330ac65e9d4cd588349c524a71f700e179859d7829d8e840b8

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\api-ms-win-crt-utility-l1-1-0.dll
Filesize
11KB

MD5
cb4a19b88bec5a8806b419cf7c828018

SHA1
2bc264e0eccb1a9d821bca82b5a5c58dc2464c5d

SHA256
97e4c91103c186517fa248772b9204acf08fde05557a19efe28d11fb0932b1f7

SHA512
381edd45ecd5d2bdefd1e3ad0c8465a32620dfa9b97717cadb6a584c9528fed0d599d5a4889962f04908ca4e2b7b4497f0e69d8481ee5f34ea5d9106d99760c3

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\concrt140.dll
Filesize
336KB

MD5
65f2e5a61f39996c4df8ae70723ab1f7

SHA1
7b32055335b37d734b1ab518dcae874352cd6d5c

SHA256
8032b43bdd2f18ce7eb131e7cd542967081bea9490df08681bf805ce4f4d3aab

SHA512
0b44153ac0c49170008fb905a73b0ab3c167a75dc2f7330aed503f3c0aedfd5164a92d6f759959a11eceb69e2918cb97c571a82715ad41f6b96888d59973f822

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\crashreport.dll
Filesize
51KB

MD5
54eb1567d87a7f8d522b558befab22da

SHA1
b461e8eadbfe5a5beff264aec3bb7456524d6e9e

SHA256
fca9cd3b650bb5384a25cdcf5a3947f246b5c3d9ca81c387fe1faab2427f20d3

SHA512
b1e3b347fabf3054ec729eefa7495f775f26fb4221bebfb785076e16ea1cfcd2d3738e2851ae0c8a753861bd8bad1931108067967f20faeebe33ed9b43916b93

Download Submit
C:\LDPlayer\LDPlayer9\vbox64\fastpipe.dll
Filesize
67KB

MD5
38a04f46d8f9d5c9c7f7ee6a7175fd4e

SHA1
f829e1b3a21d1278f9729bb739b6e8cd74bcdead

SHA256
ad34635b76825b34172af347934c831182891dc2ca6820deeb8a8bd7974c822b

SHA512
603853062cdbe8790a4c82b7cc72ee381f5566f7715085f091042731bfdab5019686f3a2a61e33675be14560f7aedf96986188bdf4f88520eee38c7452c466aa

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
Filesize
641B

MD5
e6eafa34e4c79244e31bc22950badcc2

SHA1
f6413968f5bbb512c40076dae5fa6127a0c03e33

SHA256
c02527dc6e4d229d69dc11c85474a500cf093cd10af15d5ab84e1df4fd3c612e

SHA512
7bc769727d19cbf43ef4c8104d2ccbad8f7b269113fd589c234ca45f6a9cf82d4c7f609ecd9be4afdcfb93b0205ad25d52b26693108d8fbf1124c38bd8be42e6

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
81d32e1fb575dede7ff1d03dca5a1e00

SHA1
497f3e17b0873fbe83abf86459ea33b594fbedb9

SHA256
744b0743ca0d05ccfafcf22dbd3786aab37e34874c01dff130293bafa407d62f

SHA512
093aeed00f25548b8f5d3b138003bd69f0ca95ccbd265dc1e0564084db4c6592d42f663eee27ccd203ac96e778f4ca9242746ee8cf6e4e92ec967a6f19dcda63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d204c245084fa3a85deae26d193d0570

SHA1
671f9623de00c3f82bc7243cdaf90d6119c13987

SHA256
b447bc10a617e1bfd655febac94060a3fe1eb963b3770b1a4dfcfb4cc8ef2372

SHA512
acef2625540af61fc6b575168044ece9e8e3a290326963b26fa527fe47f9841874a23ec6cced2bdecb2e8af5f9e00e3a05a4d269a51bc90e7a23f2ed1f171f5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
87bb1f21cdb02c7d457564f63db71cba

SHA1
063e1102b215bfd1769334156b879ad24137ad60

SHA256
85dab5d6bf1a20fcbbe00cd3ba6071bec62baf752c6939ba538fa7bb9ba48602

SHA512
96dc48ac89bafec1b086e4b30cb826a5bfabe3a5243f7340d481204f89b1912b6151b73404b29af1d886c1c26b837e9f8186f2fc7545427d376735198ae9f8cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
24b7c844cff28116572012d9d0712ff6

SHA1
c1528dbf9941e2d6e5ca7b0e01cb4f9baf23315a

SHA256
b8a8e68d134889c6f88b202c38325b8296dfda0d14b276da86637e0aad74217e

SHA512
724378710d5a5da54995be3f7527e2963b0f58af4ac8af9b90323caf938007aba28debdfd96bd9740b3563533b83fefce00f379cc02eba89f7e3c0de346b1ccb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
12273013c0aac9c71c7dd8c4ab1b3dbc

SHA1
19c2b7d79d5b9bbb59ce7445485eba4e3bde4a2f

SHA256
5ae6054c3b2e491b8b7839bc61d56d7197fc4286e6c1b73a64b87640dac248ae

SHA512
844cded04b1e7d134afc32c3e9e7e4e84c1d4791d5852ed39af0d02906adcde8a6faa7e67168d16de6a635598e5e7b44c0d5dc29a982be1f8b5abc7d7811c70a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1d33cae530f00a61c1fb5542507f896a

SHA1
258de6f3abbf98abbb4360ec964f1848b05f0b96

SHA256
6b800f45a6cda6718032c137ff7054652cc0f5faf7fb2dd4f02af50858fd2a3a

SHA512
c5a7b2c7785533d9746c2f13f62a58e250b5c57991997751b9a4f97b86c5934ab54d6d4064dbe58753e513d5874f31ff54785e965082bf1c6fc1a64c09eaa78d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
77c738210a805d93c8375f8b2172ecaa

SHA1
29ed9f60eb8512ed1bf4a0be481c802802299545

SHA256
fc2b6c8d1612bd65c9141cf35f001b117a54c786443ac5568d1e4fc86aa3022e

SHA512
1142dbec3b7257ee1eee39d54fb2a82c07d10b28854b9ccb58d7c825ded3dc7f198dd46aceae73eb17286689586b191fca3bcad21bdd3816f99211c774af5c56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bdc8ac60a23c80576e89741a72f9c62b

SHA1
4cbe70eac3a1533cece897da2e382f4e362fc5a9

SHA256
ab6ed33d71a8ec72c6576596050e14201d557b84ba75056c2c0b8450daf41861

SHA512
010b3fcfd4a2451eac4b174e132dd9a52331d7ac09a6dcd8cff2d8cde2dfd7793a4860864fb5c1ba5e934e443b9ee13b933000b11b1a810f6fc1e7b8836d5f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
18106e4c79a496f9ab0220c8b7e2bb76

SHA1
9a84db832e269e6084bd66c9d4604c1563649669

SHA256
f65b09e016e08e58696f998ee3a5ea7d6c00e3eddcf6e4d033c4bbcc83d9132f

SHA512
7fbd9ec66c13293df8fc9342422cc69077666eee80af73b5515b11a840134aa6f4866ae076635b736331521dfb37a59394f4fcb9099db56b13d554d418a239b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
02bdd1261f3ad0db83c6fec893e631cc

SHA1
df06dfb220f4c715fe3a7f7653ef8ebdc773c9d6

SHA256
c31776b6145c26d5d3ecf6d2e7fbb310a9da9c82baf12244b284e8117e2f73d3

SHA512
e98f17dce4ff7b9e293d4c2bea5961e358c97cf49b44e572f464552da6f98769d97fd0d4e9b1292dd5b5b8490ca77e9990121efe8d37097bca772ae84f407f05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3b1f3a236ad39bb2924f546429f5a9fc

SHA1
dd5f34bc95a18d7d5b4e760d6c8650fadd146fae

SHA256
c3d81dc5a34ff425c1a5ac2539207ac54ed7f7af3a8d9921471a8a8529c5ab38

SHA512
62645841c5468eff23e55058ffa5d3bd4bdead8f7943b0c47b7992d802fe8bdd265cf2d375ca999aa8258b9fe090f1bdfdf20c173561b7f6e64a73bf16544636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
37b43c7513b1c45e9eae09e1be76d11d

SHA1
c61e3bc348116d007057327014807760905abd9b

SHA256
84199daefecf887b0b9415f24c5c65140d7502a78381e7e9e982ab713fc9e6c5

SHA512
78915ebb9b8c7b2f86e6510fc187d5c35f7efccf106c7c010bf8ddfaa6273922bfd65cd8a9fa3186ef5696db5241fb3d13bad0c6145b865ea649a9a7209b58a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ed25620c49efc45a88eb6fa9113422ff

SHA1
ad7c128f0999c470390c2572b3716f77beaf8c2e

SHA256
49a276f19319a3095d9fbe52eda916e9c3c2610bbab5b5aff83ec104d9c15043

SHA512
025f7f77d7558801c2837697416d8710ed891a9b93eaa0db74c9836c5e535ae0d7ec11d52404f88c837728c5e5cfc1df8927587d78239ebf0c82e87703a5b2b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b3f42257b1cbe17c26f079f429bfb74d

SHA1
9d6db78ac4e1d031b3c555a2b21ed34e80192937

SHA256
fc1aceafaa20ae97ba4c0faf3fd76448ef53632a7dd04eb428ce18613b64fee4

SHA512
e93be229be977cf0fcce5eebdcc9901ee7d23ab4b42f0f781f09fe2462f4189ea57cbdc123303d96ea82368fb6977fd1a248aa3c2e374db71ff64008a97128c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7e03d50c459dda451a1bf64f453f4705

SHA1
d6b862cefcd397abb8dc9bc0614132589cc473f8

SHA256
92728960906b4bf79746619c5ffa7feb976231f4256760d37f8b320a37083602

SHA512
419d63e11dc72115286d745866f5e8464772ca6a6a3494623c1991ee0bbaa0e3c90ec74c3eceff450a617614875aa54d679f188312476b8aa81aec3994d86b22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e0cffae765c466eeea78756b3102e971

SHA1
68906f1b70ccba664a46e83293cbfa0bc4449f3b

SHA256
e1b6bc999da7c56955eb284858bcbcb50a05b8b93e908d1c893a07ed8815f1a5

SHA512
5e241dd97fd915992a5dd1ba41ec71a20c0aaf4ea371afa975d1ab444e8d31650e1e0753bee7a476c155489fed5770a11984c204b576e6999de3e846b16a26f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7753de93ddf69c19a043fa01dbd010c1

SHA1
aeec40593f94cbffc6e57ac6d24a720943ffd9e9

SHA256
e3edb1723436fb0711196b53c2fa70cf6a6cccad8c2b1c33ed6073a4f3a3d0f6

SHA512
e9e8201b207a792861b587ef218efa0df1f851109ecffe12147eff265e5fd0090fdf1ca97b766050edb99ef9fbd654b72c96442ade1830c7b6ba347bc93766d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
edb85581b07966a4a42fba75c518f260

SHA1
c484030320802d639463b2055c98075a5df175a7

SHA256
eda728bf7f01cb388bbe7cdf41784587f865014530689c4cd3b3181fd2e73c41

SHA512
80e6e84060b3e4895f971761f0a6a803041d16411e02ed561a1cc6b8d0ca7184f124e8d431089f616e7dbf5d4e9ae3f90f084410f4795f999263d026c2b08229

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ecc0ee2c3c7623f665034e1a370aae3c

SHA1
fe6a39c3d67e3930d8d3db8053dc69dde4ac634a

SHA256
6b8a0db5a941ba518950214049e2aac9a3bd9796437f7add5ac56de56380c29b

SHA512
7bc2b2971471c5acfc487827d8b2fc1f36a5ec628e66a45168739a868ff567f1f36d49277bc42b429517f2e5483f1eefa1e2d6b14f913e19a430444734df0c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dd4723e674c4f609ae1734a0d09a6d50

SHA1
b3513f7ef99ff981878bd0e0806b3341ef2456d3

SHA256
f2e83eb80aac977cc442591620acdffe1dab3234f4c5106419fac47c7f05c390

SHA512
fc2ffd920cdb2c693fe7a73dd68ff59ca8bd23d1e1ac439ad799e71741460fbc3c99db6e18dba4a10d30dbf56759279f66e01570c9fc36d2b071454d64c40981

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
61e5ef0d4cf53f0e5daca96666ed1493

SHA1
3644a5f623e08358daf1e43b6d640eb07fe8d152

SHA256
552174540ba9b0f171dc54cdf8c33cc64f61c848502e269eee9c4887a8d303a7

SHA512
9dd6a267e1d58713c800c8d6956eb42639f610ae1a05e786cc99cd1d734bc4ab8f070708d58cea63255d4568eb5cb7459019869e96555b2b14813ce1a3c6d1bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
78ef3133db0256b6b55f261854d85f09

SHA1
c25e83ebfe6684454c01cd3739985e409efae699

SHA256
522cd7fc50851dd4dab31d11e5d6b69df33a616f7e092f10a47dc0fb37cf2815

SHA512
242555db85aea07ed352587e8d37a63ba10347b4f1da34135e61ebcb6b4ca6d14fe092044b42efed33f94e8d7f32774297cb21919a4527fb86ed816409842892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3f7021c47f9f760e9ed5a80eace9cd86

SHA1
1fec0af592d76d8d157ab25b0c96908444580033

SHA256
932ab82ee6f3efc308b182ee3afee6d32a9a34e2497c057d1968555e6535d501

SHA512
e924a688698c5aa52038396e38acf3d5ce8b8cf06c809a3e8f23c70517ddadd564e0062f2ad3b5878760b7dbed2e4b8aeb0cfd7a3da2c25ab808e9878f5e9a23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
eb4efae1060924abf1369d2398b070e3

SHA1
6e6fad1c4c603c064b6e47dbffc7790761d83068

SHA256
51ae67c68056e4b3ab8adf78164fb04deab1261868e8b5bc292692c5c489c4ee

SHA512
6af580d4f5ff589fe582abd25598ec5f3929331460fa71ad8c6c2a0eaa1d1a6e49ee2bbc95f8697f2202ecc83a815074e21f08d109d9af719163c426a6ab88e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
001fc11d141984fa9f3ad4c9713300e3

SHA1
253159a5d8b427e001b3da9ef5fa6baea3d8aa81

SHA256
3e39e53ba359d1e87f22342262da1031ec7aa1c1aa25707b45e48001f12831db

SHA512
bda9d08396647458a35720fe5c2f91fd52add0a4dca95b5334bfc55d87626452a77c289ac4860538145b8f9e7a69c5750a3be1a1a61c500562103e02af8b03a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f1b080a94742c9eb1edec0cbfec6b785

SHA1
c983a590d49ad80a89ababa57752d822f4900d36

SHA256
4b63f97bbcaf97b87b8f8c5d3499bb29292d40073748cf995181620b857296e3

SHA512
6b49f1e4638c65b864055a5259a1c77963a1f25d1e980f15c817c5215c4a9459633192b32956666ba40a4a9afc26bcd73629c8e27d473a5ae69878324f28b5a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
15507f5cd4a6a209f8f554ebf2745783

SHA1
6f4d0961ccf0026580e426e5891abe3ac2866f5c

SHA256
fe07502961fbd87d48512118d5a36afd00c8737284ebf89bf45300e42a7aac69

SHA512
d3f4c252c24ed1c4908647f3dcf05e289a20a3bd47b6ca0f885ab295b41a1c8502b745642fc8690fc2a23ea09d74450b321ec32fdb522b47d4e829ff69d8f472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
0001d765591a7adb681f4450c7ce121a

SHA1
5038ad1c0aa8a12b4054ea5515c8322fcc2adaa4

SHA256
16a765982ae4cc967b73447dce6a0a821899eed45ad99935bbf8cdedfd5001bb

SHA512
50a5efe69a22b2fa2c8c5a7dd5fa71263597af140251d06141fa080c73536c9a1f5356dfd4a1797698a1bc6118484cffe1e14e1ac47aa9ef3dc367369c4e68df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\KG47FLAQ\www.youtube[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\KG47FLAQ\www.youtube[1].xml
Filesize
229B

MD5
455bee7cda5300d9e8cc85e06f95cbe0

SHA1
3ec6074fff4ecb02a2832b3d3a8f66ce5cebb865

SHA256
2937b97b1a5bcb0465d62981d45af1220caaa79f61b2fff1cb47a115b4969bfb

SHA512
d3b6b89706db7ff09ee24af326ff765b86413dce3fb8ddcca17ae71c743b4c18cef52e2ffec4b8b7181f357ae1e07754eb7228e82535d6f7173b3584cac3827c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\KG47FLAQ\www.youtube[1].xml
Filesize
641B

MD5
4f3478451b135c09f675f478d030aa88

SHA1
d0f1117205f6d2be391ac2fe57030caa29699aa2

SHA256
bff18af703b5ab7c9ca0287eff850bc1a11c26dbf4e6474295276deffecb8b4b

SHA512
579a6438decbb82e687888464abe6079f11abdfbfd0e52c086a07392e42b8321b96c7087a65f51d7de110ad3fb389e2b1c24df443ec09b612f2512c8db2bcb89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6y0a2v0\imagestore.dat
Filesize
34KB

MD5
9976b6958679cd0ac980608204ed62aa

SHA1
979552d64102902dfc28f442a374620f57edbdce

SHA256
9b86fa49dccb589cdc8b57d64e443ff178db354fe307c536f52e327dfdb25d85

SHA512
fa93e36943be1fe87610948acf012b766ec956072bfd3f97b3008fdf1acadce05d606c3ab6e02cca47364488457c5e0a5c4c0eb4b2b1cbc5fb2a0069dca3d02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IW68H88T\favicon[2].ico
Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IW68H88T\favicon[3].ico
Filesize
9KB

MD5
a0c760136e1b6f7633a3582f734c53eb

SHA1
00176cd4ab6423fb4673ad856e79447b93dd05fe

SHA256
c7eb5447c806948853f817df7f8a1871a8707987d5606e39b145d69f7dc29cd1

SHA512
b5f9d0e6fc9346ac34a87fc5cb42bf375a0e2d58eff5fb53dfae4a1e576940cb2f57f921be390bb66b5ebc7b174b9d88d8519a27773624f1dabc960e077ecf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3173.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2XD3LA2IUAR239431QX1.temp
Filesize
7KB

MD5
c4b408f42b30cc47b84750bdb8134506

SHA1
69ee8cd83f9c7b49e59339b7d2c1d3ace73148ca

SHA256
7b3eb80cb708d7a9614fed8bd5e5e44a253c1b34af204f023e940d30a11c7261

SHA512
79ecdee9bca3e3669332b6c37be76cc76a3841c46ed3fc97aa0339120da5d1315fbb64415de4e60e07dd492a3a83647ff0382f7d3adfff6d7943b2bd187263a4

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi\fonts\Roboto-Regular.otf
Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
\LDPlayer\LDPlayer9\crashreport.dll
Filesize
51KB

MD5
19dae6362eb73913f7947f719be52516

SHA1
e157307ae8e87c9a6f31bc62ecdf32d70f8648d9

SHA256
ae0eba69019294d03e11d68fea0ee72e77bfe156803f1b83bc8566a0a4d3584d

SHA512
f5eb5771eb03f7f2067e32573397814ff3ef54dc7fae0abadad6bfdcafef6a4a5bf6f3ab9874c0530cb70cb995f6716ca8fa1cba175ed5a1d298c700f6e59ad2

Download Submit
\LDPlayer\LDPlayer9\dnrepairer.exe
Filesize
41.9MB

MD5
4def56a3500d5a4dec3ff797a88c5751

SHA1
1a53c9c6f3d1e27ac8532e09f87990505c8090de

SHA256
c09b51bdc9039b976a55eb8dc7c517d65d8d5f6eadda92d2de27ceee7845b0e4

SHA512
a96322ca61f45875bfdb7b514ce1a95bbc1faba3fc0b7bc7c0af3f05d68c14e47fddff64e595f6bf053df7e1efad3e5f9e33f3bc2e09501c3c20de62864ae1d8

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
79KB

MD5
d9cb0b4a66458d85470ccf9b3575c0e7

SHA1
1572092be5489725cffbabe2f59eba094ee1d8a1

SHA256
6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05

SHA512
94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6

Download Submit
memory/836-912-0x0000000005330000-0x0000000005332000-memory.dmp

Filesize
8KB

Download
memory/836-913-0x0000000005340000-0x0000000005342000-memory.dmp

Filesize
8KB

Download
memory/836-1435-0x000000006B060000-0x000000006B606000-memory.dmp

Filesize
5.6MB

Download
memory/836-1436-0x000000006AFE0000-0x000000006B05A000-memory.dmp

Filesize
488KB

Download
memory/836-1434-0x000000006B610000-0x000000006B68E000-memory.dmp

Filesize
504KB

Download
memory/836-1433-0x000000006B690000-0x000000006D08B000-memory.dmp

Filesize
26.0MB

Download
memory/836-893-0x0000000035920000-0x0000000035930000-memory.dmp

Filesize
64KB

Download
memory/2584-910-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2584-911-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2992-159-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-154-0x0000000003890000-0x00000000038D4000-memory.dmp

Filesize
272KB

Download
memory/2992-926-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-16-0x0000000002D70000-0x0000000002D86000-memory.dmp

Filesize
88KB

Download
memory/2992-155-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-156-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-157-0x00000000038D0000-0x0000000003910000-memory.dmp

Filesize
256KB

Download
memory/2992-158-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/2992-17-0x0000000074A90000-0x0000000074AA6000-memory.dmp

Filesize
88KB

Download
memory/2992-11-0x00000000038D0000-0x0000000003910000-memory.dmp

Filesize
256KB

Download
memory/2992-12-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download