File name:

LDPlayer9_pt_1008_ld.exe

Full analysis: https://app.any.run/tasks/13025021-d35f-4be4-afb1-b4c35d8810bd
Verdict: Malicious activity
Analysis date: November 26, 2024, 15:09:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

4B3458B9C6AAA39EF37FC290459B6908

SHA1:

BA8B683ECA181784D049EFD008F50AACF5CF4079

SHA256:

9BB59EA13D91B11739E9EB8E39AB243D80935310838B0F60B450AC2A906AABEE

SSDEEP:

98304:K1EQlUiLeiYxQKN5DooPUEUMoj4Flc891YtoAlVXm1M3cJRRL+rssQarhYfLrt2j:C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • dnrepairer.exe (PID: 1904)
      • net.exe (PID: 5252)

    • Registers / Runs the DLL via REGSVR32.EXE

      • dnrepairer.exe (PID: 1904)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • LDPlayer9_pt_1008_ld.exe (PID: 6312)

    • Executable content was dropped or overwritten

      • LDPlayer.exe (PID: 2972)
      • Dism.exe (PID: 6844)
      • dnrepairer.exe (PID: 1904)
      • dnplayer.exe (PID: 2076)

    • Uses ICACLS.EXE to modify access control lists

      • dnrepairer.exe (PID: 1904)
      • LDPlayer.exe (PID: 2972)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 6984)

    • Reads security settings of Internet Explorer

      • LDPlayer9_pt_1008_ld.exe (PID: 6312)

    • Process drops legitimate windows executable

      • LDPlayer.exe (PID: 2972)
      • dnplayer.exe (PID: 2076)
      • dnrepairer.exe (PID: 1904)

    • Drops 7-zip archiver for unpacking

      • LDPlayer.exe (PID: 2972)

    • The process drops C-runtime libraries

      • LDPlayer.exe (PID: 2972)
      • dnplayer.exe (PID: 2076)
      • dnrepairer.exe (PID: 1904)

    • Takes ownership (TAKEOWN.EXE)

      • dnrepairer.exe (PID: 1904)
      • LDPlayer.exe (PID: 2972)

    • Drops a system driver (possible attempt to evade defenses)

      • dnrepairer.exe (PID: 1904)

    • Starts POWERSHELL.EXE for commands execution

      • dnrepairer.exe (PID: 1904)

  • INFO

    • Checks supported languages

      • LDPlayer9_pt_1008_ld.exe (PID: 6312)

    • Reads the machine GUID from the registry

      • LDPlayer9_pt_1008_ld.exe (PID: 6312)

    • Reads the software policy settings

      • LDPlayer9_pt_1008_ld.exe (PID: 6312)

    • Creates files or folders in the user directory

      • LDPlayer9_pt_1008_ld.exe (PID: 6312)

    • Checks proxy server information

      • LDPlayer9_pt_1008_ld.exe (PID: 6312)

    • Reads the computer name

      • LDPlayer9_pt_1008_ld.exe (PID: 6312)

    • Application launched itself

      • msedge.exe (PID: 3952)
      • msedge.exe (PID: 6956)

    • Manual execution by a user

      • msedge.exe (PID: 6956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:06 02:04:33+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1216000
InitializedDataSize: 1440768
UninitializedDataSize: -
EntryPoint: 0xec908
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
256
Monitored processes
120
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ldplayer9_pt_1008_ld.exe ldplayer.exe dnrepairer.exe net.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs dism.exe conhost.exe no specs dismhost.exe tiworker.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs ld9boxsvc.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs driverconfig.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs msedge.exe no specs dnplayer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sc.exe no specs msedge.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ld9boxsvc.exe no specs vbox-img.exe no specs msedge.exe no specs msedge.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs vbox-img.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs vbox-img.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs ld9boxheadless.exe no specs conhost.exe no specs ld9boxheadless.exe no specs conhost.exe no specs ld9boxheadless.exe no specs conhost.exe no specs ld9boxheadless.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs ld9boxheadless.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ldplayer9_pt_1008_ld.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1016\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2748 --field-trial-handle=2240,i,13695763631352937515,7938521398000395677,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1192"C:\WINDOWS\system32\sc" start Ld9BoxSupC:\Windows\SysWOW64\sc.exednrepairer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1460"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action AllowC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exednrepairer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1556sc query HvHostC:\Windows\SysWOW64\sc.exednrepairer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1732"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /sC:\Windows\SysWOW64\regsvr32.exednrepairer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1904"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=459462C:\LDPlayer\LDPlayer9\dnrepairer.exe
LDPlayer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\ldplayer\ldplayer9\dnrepairer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
57 164
Read events
56 683
Write events
452
Delete events
29

Modification events

(PID) Process:(6312) LDPlayer9_pt_1008_ld.exeKey:HKEY_CURRENT_USER\SOFTWARE\lden
Operation:writeName:pcmac
Value:
0bc2376885b90fbc11f1e41ba75ee1e9
(PID) Process:(2972) LDPlayer.exeKey:HKEY_CURRENT_USER\SOFTWARE\ld\dnplayer_en
Operation:writeName:pcid
Value:
0bc2376885b90fbc11f1e41ba75ee1e9
(PID) Process:(2232) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3
Operation:writeName:DefaultId
Value:
{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
(PID) Process:(2232) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
Operation:writeName:$DLL
Value:
WINTRUST.DLL
(PID) Process:(2232) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
Operation:writeName:$Function
Value:
SoftpubAuthenticode
(PID) Process:(2232) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$DLL
Value:
WINTRUST.DLL
(PID) Process:(2232) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$Function
Value:
SoftpubInitialize
(PID) Process:(2232) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$DLL
Value:
WINTRUST.DLL
(PID) Process:(2232) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$Function
Value:
SoftpubLoadMessage
(PID) Process:(2232) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$DLL
Value:
WINTRUST.DLL
Executable files
476
Suspicious files
429
Text files
196
Unknown types
7

Dropped files

PID
Process
Filename
Type
6312LDPlayer9_pt_1008_ld.exeC:\LDPlayer\LDPlayer9\LDPlayer.exe.tmp
MD5:
SHA256:
6312LDPlayer9_pt_1008_ld.exeC:\LDPlayer\LDPlayer9\LDPlayer.exe
MD5:
SHA256:
2972LDPlayer.exeC:\Users\admin\AppData\Roaming\XuanZhi\fonts\NotoSans-Regular.otf
MD5:
SHA256:
2972LDPlayer.exeC:\LDPlayer\LDPlayer9\data-3G.vmdk
MD5:
SHA256:
2972LDPlayer.exeC:\LDPlayer\LDPlayer9\data.vmdk
MD5:
SHA256:
2972LDPlayer.exeC:\LDPlayer\LDPlayer9\dnresource.rcc
MD5:
SHA256:
6312LDPlayer9_pt_1008_ld.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517binary
MD5:3A069FAA58703D00B63980026FDDBB9D
SHA256:3F6B5AF3EE309581DECFFF9E5F49C2A9773C0A598922D8EC3EA4BA06C6A0E9FC
2972LDPlayer.exeC:\Users\admin\AppData\Roaming\XuanZhi\fonts\Roboto-Regular.otfbinary
MD5:4ACD5F0E312730F1D8B8805F3699C184
SHA256:72336333D602F1C3506E642E0D0393926C0EC91225BF2E4D216FCEBD82BB6CB5
2972LDPlayer.exeC:\LDPlayer\LDPlayer9\appName.texttext
MD5:B88F5E1E8443F65538D157DB8E3FFBA3
SHA256:E69EAB737FCA991062800CB339B6D3900B21AAD13C8B4C5614DCB068DBDFBD40
6312LDPlayer9_pt_1008_ld.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517der
MD5:A1A8EEE47AEAE31A4AE644D41C8E04AA
SHA256:BB58CBB0F532DFAE721EB858261FA6F9E9F75FD28BEBA387D67DB97A6BF0EB46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
130
DNS requests
174
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6312
LDPlayer9_pt_1008_ld.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEH6Hwxq9kZ5xalNEESzfRqk%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7024
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1544
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6312
LDPlayer9_pt_1008_ld.exe
GET
200
18.66.145.213:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAoFmyX1Sz2HlMxmMUd1OKM%3D
unknown
whitelisted
GET
200
216.58.206.67:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEBaxOReNz8x2ECenmcvEKkc%3D
unknown
whitelisted
7024
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5732
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6312
LDPlayer9_pt_1008_ld.exe
163.181.92.230:443
res.ldrescdn.com
Zhejiang Taobao Network Co.,Ltd
DE
unknown
6312
LDPlayer9_pt_1008_ld.exe
216.58.212.142:443
www.google-analytics.com
GOOGLE
US
whitelisted
6312
LDPlayer9_pt_1008_ld.exe
104.18.20.226:80
ocsp2.globalsign.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.64
  • 40.126.31.69
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
res.ldrescdn.com
  • 163.181.92.230
  • 163.181.92.233
  • 163.181.92.229
  • 163.181.92.234
  • 163.181.92.235
  • 163.181.92.228
  • 163.181.92.231
  • 163.181.92.232
unknown
www.google-analytics.com
  • 216.58.212.142
  • 172.217.18.110
  • 142.250.181.238
whitelisted
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
apipt.ldmnq.com
  • 13.32.99.67
  • 13.32.99.62
  • 13.32.99.124
  • 13.32.99.96
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Process
Message
Dism.exe
PID=6844 TID=6864 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=6844 TID=6864 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=6844 TID=6864 Loading Provider from location C:\WINDOWS\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=6844 TID=6864 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=6844 TID=6864 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=6844 TID=6864 Connecting to the provider located at C:\WINDOWS\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
DismHost.exe
PID=6984 TID=4984 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
DismHost.exe
PID=6984 TID=4984 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
DismHost.exe
PID=6984 TID=4984 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider
Dism.exe
PID=6844 TID=6864 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LDPlayer9_pt_1008_ld.exe