Malware analysis /download/LDPlayer9.exe Malicious activity

Add for printing

download:	/download/LDPlayer9.exe
Full analysis:	https://app.any.run/tasks/5ae611c7-79b3-42d1-b998-44ae2dbe581d
Verdict:	Malicious activity
Analysis date:	February 20, 2026, 13:10:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto generic anti-evasion antivm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	E1D2D9CCEF105D0D0B4BBFA13A1ABB13
SHA1:	717F2DCA5DD007D091F1DCE6C6D786CB03C68579
SHA256:	10FCACEC94908199B1C3A9C8912381C623419C7E7F4310D407AC4BD2F00286EA
SSDEEP:	98304:tAHAQ89zGP++kjkVAGR+cXxKp0IXthS+i6te+AMLAgDsUBtK8fWi1OjtbJhN8eWD:Z0f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts NET.EXE for service management
  - dnrepairer.exe (PID: 8544)
  - net.exe (PID: 8308)
- GENERIC has been found (auto)
  - LDPlayer_0900020001.exe (PID: 3304)
- Registers / Runs the DLL via REGSVR32.EXE
  - dnrepairer.exe (PID: 8544)
SUSPICIOUS
- The process creates files with name similar to system file names
  - LDPlayer_0900020001.exe (PID: 3304)
- Uses ICACLS.EXE to modify access control lists
  - dnrepairer.exe (PID: 8544)
  - LDPlayer_0900020001.exe (PID: 3304)
- Starts POWERSHELL.EXE for commands execution
  - dnrepairer.exe (PID: 8544)
- Drops a system driver (possible attempt to evade defenses)
  - dnrepairer.exe (PID: 8544)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 3636)
  - regsvr32.exe (PID: 1320)
- Creates a new Windows service
  - sc.exe (PID: 1512)
- Windows service management via SC.EXE
  - sc.exe (PID: 7340)
  - sc.exe (PID: 7956)
  - sc.exe (PID: 4364)
- Takes ownership (TAKEOWN.EXE)
  - dnrepairer.exe (PID: 8544)
  - LDPlayer_0900020001.exe (PID: 3304)
- Uses powercfg.exe to modify the power settings
  - LDPlayer_0900020001.exe (PID: 3304)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 2140)
- Starts CMD.EXE for commands execution
  - dnplayer.exe (PID: 7620)
- The process checks if it is being run in the virtual environment
  - conhost.exe (PID: 7156)
  - conhost.exe (PID: 1684)
  - conhost.exe (PID: 1844)
- Executes application which crashes
  - Ld9BoxHeadless.exe (PID: 4152)
- There is functionality for communication over UDP network (YARA)
  - dnplayer.exe (PID: 7620)
  - Ld9BoxSVC.exe (PID: 6916)
- There is functionality for VM detection VirtualBox (YARA)
  - dnplayer.exe (PID: 7620)
  - Ld9BoxSVC.exe (PID: 6916)
- There is functionality for VM detection antiVM strings (YARA)
  - dnplayer.exe (PID: 7620)
INFO
- Checks supported languages
  - LDPlayer9.exe (PID: 5752)
  - LDPlayer_0900020001.exe (PID: 3304)
  - dnrepairer.exe (PID: 8544)
  - Ld9BoxSVC.exe (PID: 7864)
  - driverconfig.exe (PID: 7100)
  - dnplayer.exe (PID: 7620)
  - Ld9BoxSVC.exe (PID: 6916)
  - vbox-img.exe (PID: 8668)
  - vbox-img.exe (PID: 7608)
  - vbox-img.exe (PID: 5524)
  - Ld9BoxHeadless.exe (PID: 4152)
- Creates files or folders in the user directory
  - LDPlayer9.exe (PID: 5752)
  - LDPlayer_0900020001.exe (PID: 3304)
  - dnrepairer.exe (PID: 8544)
  - dnplayer.exe (PID: 7620)
  - WerFault.exe (PID: 6884)
- Checks proxy server information
  - LDPlayer9.exe (PID: 5752)
  - LDPlayer_0900020001.exe (PID: 3304)
  - dnplayer.exe (PID: 7620)
  - slui.exe (PID: 2424)
  - WerFault.exe (PID: 6884)
- Reads the computer name
  - LDPlayer9.exe (PID: 5752)
  - LDPlayer_0900020001.exe (PID: 3304)
  - Ld9BoxSVC.exe (PID: 7864)
  - dnplayer.exe (PID: 7620)
  - Ld9BoxSVC.exe (PID: 6916)
  - Ld9BoxHeadless.exe (PID: 4152)
- Reads the machine GUID from the registry
  - LDPlayer_0900020001.exe (PID: 3304)
  - LDPlayer9.exe (PID: 5752)
  - dnrepairer.exe (PID: 8544)
  - dnplayer.exe (PID: 7620)
- Reads security settings of Internet Explorer
  - LDPlayer_0900020001.exe (PID: 3304)
  - LDPlayer9.exe (PID: 5752)
  - dnplayer.exe (PID: 7620)
- Creates files in the program directory
  - dnrepairer.exe (PID: 8544)
- Drops script file
  - dnrepairer.exe (PID: 8544)
  - powershell.exe (PID: 8396)
  - powershell.exe (PID: 412)
  - powershell.exe (PID: 5304)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 5304)
  - powershell.exe (PID: 412)
  - powershell.exe (PID: 8396)
- There is functionality for taking screenshot (YARA)
  - dnrepairer.exe (PID: 8544)
  - dnplayer.exe (PID: 7620)
- Creates a software uninstall entry
  - LDPlayer_0900020001.exe (PID: 3304)
- Create files in a temporary directory
  - Ld9BoxHeadless.exe (PID: 4152)
- Reads Environment values
  - Ld9BoxHeadless.exe (PID: 4152)
- Reads CPU info
  - dnplayer.exe (PID: 7620)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (3.6)
.exe	\|	Generic Win/DOS Executable (1.6)
.exe	\|	DOS Executable Generic (1.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2026:02:06 03:31:40+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	2147328
InitializedDataSize:	1380352
UninitializedDataSize:	-
EntryPoint:	0x1762bd
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	1.0.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Unknown (0009)
CharacterSet:	Unicode
CompanyName:	JUST OKAY LIMITED
FileDescription:	JUST OKAY LIMITED
FileVersion:	1.0.0.6
InternalName:	JUST OKAY LIMITED
LegalCopyright:	Copyright (C) 2024
OriginalFileName:	JUST OKAY LIMITED
ProductName:	JUST OKAY LIMITED
ProductVersion:	1.0.0.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

228

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

144

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

icacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

412

"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

dnrepairer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

552

"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y

C:\Windows\SysWOW64\takeown.exe

—

dnrepairer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Takes ownership of a file

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1212

"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s

C:\Windows\System32\regsvr32.exe

—

dnrepairer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1320

"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s

C:\Windows\SysWOW64\regsvr32.exe

—

dnrepairer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1512

"C:\WINDOWS\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto

C:\Windows\SysWOW64\sc.exe

—

dnrepairer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1672

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1684

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

vbox-img.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1844

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

vbox-img.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1856

"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t

C:\Windows\SysWOW64\icacls.exe

—

dnrepairer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

44 890

Read events

44 422

Write events

444

Delete events

Modification events


(PID) Process:	(5752) LDPlayer9.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\lden
Operation:	write	Name:	pcmac
Value: 86b7989e20bc11c77505a712814c8321
(PID) Process:	(3304) LDPlayer_0900020001.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\ld\dnplayer_en
Operation:	write	Name:	pcid
Value: 86b7989e20bc11c77505a712814c8321
(PID) Process:	(5588) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15
Operation:	write	Name:	Dll
Value: WINTRUST.DLL
(PID) Process:	(5588) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15
Operation:	write	Name:	FuncName
Value: WVTAsn1SpcPeImageDataEncode
(PID) Process:	(5588) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004
Operation:	write	Name:	Dll
Value: WINTRUST.DLL
(PID) Process:	(5588) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004
Operation:	write	Name:	FuncName
Value: WVTAsn1SpcPeImageDataEncode
(PID) Process:	(5588) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25
Operation:	write	Name:	Dll
Value: WINTRUST.DLL
(PID) Process:	(5588) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25
Operation:	write	Name:	FuncName
Value: WVTAsn1SpcLinkEncode
(PID) Process:	(5588) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008
Operation:	write	Name:	Dll
Value: WINTRUST.DLL
(PID) Process:	(5588) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008
Operation:	write	Name:	FuncName
Value: WVTAsn1SpcLinkEncode

Add for printing

Executable files

Suspicious files

Text files

Unknown types

670

Dropped files

PID	Process	Filename		Type
5752	LDPlayer9.exe	C:\LDPlayer\LDPlayer9\LDPlayer_0900020001.exe.part1		—
		MD5:—	SHA256:—
5752	LDPlayer9.exe	C:\LDPlayer\LDPlayer9\LDPlayer_0900020001.exe.part0		—
		MD5:—	SHA256:—
5752	LDPlayer9.exe	C:\LDPlayer\LDPlayer9\LDPlayer_0900020001.exe		—
		MD5:—	SHA256:—
3304	LDPlayer_0900020001.exe	C:\Users\admin\AppData\Roaming\XuanZhi\fonts\NotoSans-Regular.otf		—
		MD5:—	SHA256:—
3304	LDPlayer_0900020001.exe	C:\LDPlayer\LDPlayer9\data-3G.vmdk		—
		MD5:—	SHA256:—
3304	LDPlayer_0900020001.exe	C:\LDPlayer\LDPlayer9\data.vmdk		—
		MD5:—	SHA256:—
3304	LDPlayer_0900020001.exe	C:\LDPlayer\LDPlayer9\dnresource.rcc		—
		MD5:—	SHA256:—
5752	LDPlayer9.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_B7ED31D77D311A56FDCB56A0083B3E0B		binary
		MD5:50495C523DD259127D57983EDE0D4AD7	SHA256:F0FF8A832FC72E0B7D99FBEE2E801950FE181D14B73CF478FFAEB06CBCD74805
5752	LDPlayer9.exe	C:\LDPlayer\LDPlayer9\th_count_0900020001.ini		binary
		MD5:04E392F8ABB284A9A73F966A497E469E	SHA256:1A10E1F299B3CF82F901B8ECB14D82B5C9CE0EF49464FF8EFABA2D603DBEC6D3
3304	LDPlayer_0900020001.exe	C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf		binary
		MD5:E2E37D20B47D7EE294B91572F69E323A	SHA256:153161AB882DB768C70A753AF5E8129852B9C9CAE5511A23653BEB6414D834A2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5752	LDPlayer9.exe	GET	—	23.213.161.23:443	https://static.ldrescdn.com/download/package/LDPlayer_9.2.0.1.exe	NL	—	—	unknown
5752	LDPlayer9.exe	GET	—	2.16.168.102:443	https://res.ldrescdn.com/download/package/LDPlayer_9.2.0.1.exe	NL	—	—	unknown
5752	LDPlayer9.exe	GET	—	2.16.168.102:443	https://res.ldrescdn.com/download/package/LDPlayer_9.2.0.1.exe	NL	—	—	unknown
5752	LDPlayer9.exe	GET	—	2.16.168.102:443	https://res.ldrescdn.com/download/package/LDPlayer_9.2.0.1.exe	NL	—	—	unknown
5752	LDPlayer9.exe	GET	200	2.16.168.100:443	https://files.ldrescdn.com/player_files/en/leidian	NL	binary	1.92 Kb	unknown
5752	LDPlayer9.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAsA6S1NbXMfyjBZx8seGIY%3D	US	binary	313 b	whitelisted
5752	LDPlayer9.exe	POST	200	8.222.131.165:443	https://sg-datahub.changzhi.top/collection/mnq?appId=1	CN	binary	47 b	unknown
5752	LDPlayer9.exe	GET	200	47.254.135.96:443	https://apien.ldmnq.com/check/machine/channel?m=86b7989e20bc11c77505a712814c8321	CN	binary	58 b	unknown
5752	LDPlayer9.exe	GET	200	2.16.168.102:443	https://res.ldrescdn.com/player_files/en/lddownloader.data	NL	binary	4.60 Kb	unknown
—	—	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	US	binary	314 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6320	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8740	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5568	SearchApp.exe	92.123.104.5:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
5752	LDPlayer9.exe	2.16.168.100:443	files.ldrescdn.com	AKAMAI-ASN1	NL	whitelisted

DNS requests

Domain	IP	Reputation
self.events.data.microsoft.com	20.42.65.85 20.189.173.26	whitelisted
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	216.58.206.46	whitelisted
www.bing.com	92.123.104.5 92.123.104.12 92.123.104.62 92.123.104.6 92.123.104.13 92.123.104.63 92.123.104.66 92.123.104.65 92.123.104.9	whitelisted
ocsp.digicert.com	184.30.131.245 162.159.142.9 172.66.2.5	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
files.ldrescdn.com	2.16.168.100 2.16.168.106	whitelisted
sg-datahub.changzhi.top	8.222.131.165 47.245.87.130	unknown
apien.ldmnq.com	47.254.135.96 47.87.135.174 8.209.103.166 8.209.109.55 8.209.105.11 8.209.111.156	unknown

Threats

PID	Process	Class	Message
2292	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
5752	LDPlayer9.exe	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
5752	LDPlayer9.exe	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
2292	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
5752	LDPlayer9.exe	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
6884	WerFault.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

Process	Message
dnplayer.exe	audio wait from recv
Ld9BoxHeadless.exe	ldutils myhook enter
Ld9BoxHeadless.exe	ldutils backgroundPreread enter
Ld9BoxHeadless.exe	ldutils backgroundPreread leave

General Info

/download/LDPlayer9.exe

E1D2D9CCEF105D0D0B4BBFA13A1ABB13

717F2DCA5DD007D091F1DCE6C6D786CB03C68579

10FCACEC94908199B1C3A9C8912381C623419C7E7F4310D407AC4BD2F00286EA

98304:tAHAQ89zGP++kjkVAGR+cXxKp0IXthS+i6te+AMLAgDsUBtK8fWi1OjtbJhN8eWD:Z0f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

GENERIC has been found (auto)

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

The process creates files with name similar to system file names

Uses ICACLS.EXE to modify access control lists

Starts POWERSHELL.EXE for commands execution

Drops a system driver (possible attempt to evade defenses)

Creates/Modifies COM task schedule object

Creates a new Windows service

Windows service management via SC.EXE

Takes ownership (TAKEOWN.EXE)

Uses powercfg.exe to modify the power settings

Uses SYSTEMINFO.EXE to read the environment

Starts CMD.EXE for commands execution

The process checks if it is being run in the virtual environment

Executes application which crashes

There is functionality for communication over UDP network (YARA)

There is functionality for VM detection VirtualBox (YARA)

There is functionality for VM detection antiVM strings (YARA)

INFO

Checks supported languages

Creates files or folders in the user directory

Checks proxy server information

Reads the computer name

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Creates files in the program directory

Drops script file

Checks if a key exists in the options dictionary (POWERSHELL)

There is functionality for taking screenshot (YARA)

Creates a software uninstall entry

Create files in a temporary directory

Reads Environment values

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity