File name:

LDPlayer9_ens_1001_ld.exe

Full analysis: https://app.any.run/tasks/415244de-a54a-4d50-8fd9-27c7af9b9d13
Verdict: Malicious activity
Analysis date: September 30, 2024, 23:06:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A64BD549D95BFC8BE592833460F79FCC

SHA1:

0AEEB9507ED39F14D82149C56011EC3AAED1BEC9

SHA256:

D285B5242F4583D49C63A7C7F83A72F082AB395F9EAFF674FF56C8D2D0FA063D

SSDEEP:

98304:X8FjyxBkMZyzOLENk9zbz5VEmy2slI2Vrr9EhZShEBBRRL+rssQarhYfLrt2CPSM:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 6852)
      • dnrepairer.exe (PID: 2868)

    • Registers / Runs the DLL via REGSVR32.EXE

      • dnrepairer.exe (PID: 2868)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • LDPlayer9_ens_1001_ld.exe (PID: 6244)

    • Process drops legitimate windows executable

      • LDPlayer.exe (PID: 6680)
      • Dism.exe (PID: 1568)
      • dnrepairer.exe (PID: 2868)
      • dnplayer.exe (PID: 2616)

    • Takes ownership (TAKEOWN.EXE)

      • dnrepairer.exe (PID: 2868)
      • LDPlayer.exe (PID: 6680)

    • Uses ICACLS.EXE to modify access control lists

      • dnrepairer.exe (PID: 2868)
      • LDPlayer.exe (PID: 6680)

    • Executable content was dropped or overwritten

      • LDPlayer.exe (PID: 6680)
      • Dism.exe (PID: 1568)
      • dnrepairer.exe (PID: 2868)
      • dnplayer.exe (PID: 2616)

    • Checks Windows Trust Settings

      • LDPlayer9_ens_1001_ld.exe (PID: 6244)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 2636)

    • Drops 7-zip archiver for unpacking

      • LDPlayer.exe (PID: 6680)

    • The process drops C-runtime libraries

      • LDPlayer.exe (PID: 6680)
      • dnrepairer.exe (PID: 2868)
      • dnplayer.exe (PID: 2616)

    • Drops a system driver (possible attempt to evade defenses)

      • dnrepairer.exe (PID: 2868)

    • Starts POWERSHELL.EXE for commands execution

      • dnrepairer.exe (PID: 2868)

  • INFO

    • Creates files or folders in the user directory

      • LDPlayer9_ens_1001_ld.exe (PID: 6244)

    • Reads the machine GUID from the registry

      • LDPlayer9_ens_1001_ld.exe (PID: 6244)

    • Reads the computer name

      • LDPlayer9_ens_1001_ld.exe (PID: 6244)

    • Checks proxy server information

      • LDPlayer9_ens_1001_ld.exe (PID: 6244)

    • Reads the software policy settings

      • LDPlayer9_ens_1001_ld.exe (PID: 6244)

    • Application launched itself

      • msedge.exe (PID: 5436)
      • msedge.exe (PID: 652)

    • Manual execution by a user

      • msedge.exe (PID: 652)
      • dnplayer.exe (PID: 7992)

    • Attempting to use instant messaging service

      • msedge.exe (PID: 6832)

    • Checks supported languages

      • LDPlayer9_ens_1001_ld.exe (PID: 6244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:27 09:25:08+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1215488
InitializedDataSize: 1440256
UninitializedDataSize: -
EntryPoint: 0xec8bc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
258
Monitored processes
115
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ldplayer9_ens_1001_ld.exe ldplayer.exe dnrepairer.exe net.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs dism.exe conhost.exe no specs dismhost.exe tiworker.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs ld9boxsvc.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs driverconfig.exe no specs conhost.exe no specs takeown.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs msedge.exe no specs dnplayer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs sc.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ld9boxsvc.exe no specs msedge.exe no specs msedge.exe no specs vbox-img.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs vbox-img.exe no specs conhost.exe no specs vbox-img.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ld9boxheadless.exe conhost.exe no specs msedge.exe no specs ld9boxheadless.exe conhost.exe no specs ld9boxheadless.exe conhost.exe no specs ld9boxheadless.exe conhost.exe no specs ld9boxheadless.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dnplayer.exe no specs ldplayer9_ens_1001_ld.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32"regsvr32" Wintrust.dll /sC:\Windows\SysWOW64\regsvr32.exednrepairer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
420"regsvr32" dssenh.dll /sC:\Windows\SysWOW64\regsvr32.exednrepairer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetakeown.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
652"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument https://discord.gg/4bUcwDd53dC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
992C:\WINDOWS\system32\net1 start cryptsvcC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1108"C:\LDPlayer\LDPlayer9\driverconfig.exe"C:\LDPlayer\LDPlayer9\driverconfig.exeLDPlayer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\ldplayer\ldplayer9\driverconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2236,i,2447816446712689224,6414644317574273726,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5272 --field-trial-handle=2236,i,2447816446712689224,6414644317574273726,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
68 992
Read events
68 491
Write events
472
Delete events
29

Modification events

(PID) Process:(6244) LDPlayer9_ens_1001_ld.exeKey:HKEY_CURRENT_USER\SOFTWARE\lden
Operation:writeName:pcmac
Value:
5f91dca989018bdb17e77e4384076fba
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3
Operation:writeName:DefaultId
Value:
{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
Operation:writeName:$DLL
Value:
WINTRUST.DLL
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
Operation:writeName:$Function
Value:
SoftpubAuthenticode
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$DLL
Value:
WINTRUST.DLL
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$Function
Value:
SoftpubInitialize
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$DLL
Value:
WINTRUST.DLL
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$Function
Value:
SoftpubLoadMessage
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$DLL
Value:
WINTRUST.DLL
(PID) Process:(2064) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}
Operation:writeName:$Function
Value:
SoftpubLoadSignature
Executable files
476
Suspicious files
132
Text files
163
Unknown types
2

Dropped files

PID
Process
Filename
Type
6244LDPlayer9_ens_1001_ld.exeC:\LDPlayer\LDPlayer9\LDPlayer.exe.tmp
MD5:
SHA256:
6244LDPlayer9_ens_1001_ld.exeC:\LDPlayer\LDPlayer9\LDPlayer.exe
MD5:
SHA256:
6680LDPlayer.exeC:\Users\admin\AppData\Roaming\XuanZhi\fonts\NotoSans-Regular.otf
MD5:
SHA256:
6680LDPlayer.exeC:\LDPlayer\LDPlayer9\data-3G.vmdk
MD5:
SHA256:
6680LDPlayer.exeC:\LDPlayer\LDPlayer9\data.vmdk
MD5:
SHA256:
6680LDPlayer.exeC:\LDPlayer\LDPlayer9\dnresource.rcc
MD5:
SHA256:
6680LDPlayer.exeC:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otfbinary
MD5:E2E37D20B47D7EE294B91572F69E323A
SHA256:153161AB882DB768C70A753AF5E8129852B9C9CAE5511A23653BEB6414D834A2
6680LDPlayer.exeC:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otfttf
MD5:4ACD5F0E312730F1D8B8805F3699C184
SHA256:72336333D602F1C3506E642E0D0393926C0EC91225BF2E4D216FCEBD82BB6CB5
6680LDPlayer.exeC:\Users\admin\AppData\Roaming\XuanZhi\fonts\Roboto-Regular.otfbinary
MD5:4ACD5F0E312730F1D8B8805F3699C184
SHA256:72336333D602F1C3506E642E0D0393926C0EC91225BF2E4D216FCEBD82BB6CB5
6680LDPlayer.exeC:\LDPlayer\LDPlayer9\launcherskin\default_h.jpgimage
MD5:C5A411D2361C0753E58FCEF8F4E26D1D
SHA256:6B3A23A61CF4D5900272094B557CF48FE6C2E4AEFC31A500F24C949308DEC8D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
127
DNS requests
75
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5116
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6244
LDPlayer9_ens_1001_ld.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEH6Hwxq9kZ5xalNEESzfRqk%3D
unknown
whitelisted
6244
LDPlayer9_ens_1001_ld.exe
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
unknown
4196
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3852
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4196
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2616
dnplayer.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ5rEWLwbJFq%2FmAU80sm7E%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
2616
dnplayer.exe
GET
200
142.250.186.67:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQC5J12%2BnSLQ8RBruJn5gGX9
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3928
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6244
LDPlayer9_ens_1001_ld.exe
163.181.92.229:443
res.ldrescdn.com
Zhejiang Taobao Network Co.,Ltd
DE
unknown
6244
LDPlayer9_ens_1001_ld.exe
104.18.20.226:80
ocsp2.globalsign.com
CLOUDFLARENET
whitelisted
6244
LDPlayer9_ens_1001_ld.exe
142.250.186.78:443
www.google-analytics.com
GOOGLE
US
whitelisted
6244
LDPlayer9_ens_1001_ld.exe
52.222.214.107:443
apien.ldmnq.com
AMAZON-02
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.78
whitelisted
res.ldrescdn.com
  • 163.181.92.229
  • 163.181.92.230
  • 163.181.92.234
  • 163.181.92.228
  • 163.181.92.235
  • 163.181.92.232
  • 163.181.92.233
  • 163.181.92.231
unknown
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
www.google-analytics.com
  • 142.250.186.78
whitelisted
apien.ldmnq.com
  • 52.222.214.107
  • 52.222.214.5
  • 52.222.214.127
  • 52.222.214.32
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.245.39.64
shared
login.live.com
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.64
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
6832
msedge.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Process
Message
Dism.exe
PID=1568 TID=3476 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=1568 TID=3476 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=1568 TID=3476 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=1568 TID=3476 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=1568 TID=3476 Loading Provider from location C:\WINDOWS\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=1568 TID=3476 Connecting to the provider located at C:\WINDOWS\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
DismHost.exe
PID=2636 TID=6028 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
DismHost.exe
PID=2636 TID=6028 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
DismHost.exe
PID=2636 TID=6028 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider
Dism.exe
PID=1568 TID=3476 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LDPlayer9_ens_1001_ld.exe