guerrilla | hxxp://[.]ç

Resubmissions

05-03-2024 08:54

240305-kt7d8sbh45 10

05-03-2024 08:48

240305-kqfgcaba2s 1

Analysis

max time kernel
735s
max time network
736s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
05-03-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://.ç

Score

10^/10

guerrilla bootkit discovery exploit infostealer persistence rat trojan

Malware Config

Signatures

Guerrilla
Guerrilla is an Android malware used by the Lemon Group threat actor.
trojan infostealer rat guerrilla

Guerrilla payload 3 IoCs

Processes:

resource	yara_rule
C:\LDPlayer\LDPlayer9\system.vmdk	family_guerrilla
C:\LDPlayer\LDPlayer9\system.vmdk	family_guerrilla
C:\LDPlayer\LDPlayer9\system.vmdk	family_guerrilla

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubDefCertInit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLVERIFYINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5400 takeown.exe
5412 icacls.exe
6128 takeown.exe
3248 icacls.exe
5988 takeown.exe
436 icacls.exe

pid	process
5400	takeown.exe
5412	icacls.exe
6128	takeown.exe
3248	icacls.exe
5988	takeown.exe
436	icacls.exe

Executes dropped EXE 35 IoCs

Processes:

LDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exednmultiplayerex.exeVBoxManage.exeLd9BoxSVC.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
5440	LDPlayer9_ens_1001_ld.exe
5936	LDPlayer.exe
1376	dnrepairer.exe
1512	dismhost.exe
5636	Ld9BoxSVC.exe
5616	driverconfig.exe
816	dnplayer.exe
5204	Ld9BoxSVC.exe
3728	vbox-img.exe
1444	vbox-img.exe
436	vbox-img.exe
2820	Ld9BoxHeadless.exe
5456	Ld9BoxHeadless.exe
4508	Ld9BoxHeadless.exe
3676	Ld9BoxHeadless.exe
5984	Ld9BoxHeadless.exe
2408	dnmultiplayerex.exe
5900	VBoxManage.exe
988	Ld9BoxSVC.exe
2836	dnplayer.exe
1784	Ld9BoxSVC.exe
200	vbox-img.exe
1168	vbox-img.exe
2976	Ld9BoxHeadless.exe
5128	Ld9BoxHeadless.exe
3924	Ld9BoxHeadless.exe
4164	Ld9BoxHeadless.exe
6080	Ld9BoxHeadless.exe
3448	MEMZ.exe
1568	MEMZ.exe
2728	MEMZ.exe
412	MEMZ.exe
2636	MEMZ.exe
5664	MEMZ.exe
6040	MEMZ.exe

Loads dropped DLL 64 IoCs

Processes:

LDPlayer9_ens_1001_ld.exednrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
1376	dnrepairer.exe
1376	dnrepairer.exe
1376	dnrepairer.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
1512	dismhost.exe
5636	Ld9BoxSVC.exe
5636	Ld9BoxSVC.exe
5636	Ld9BoxSVC.exe
5636	Ld9BoxSVC.exe
5636	Ld9BoxSVC.exe
5636	Ld9BoxSVC.exe
5636	Ld9BoxSVC.exe
5636	Ld9BoxSVC.exe
5636	Ld9BoxSVC.exe
5740	regsvr32.exe
5740	regsvr32.exe
5740	regsvr32.exe
5740	regsvr32.exe
5740	regsvr32.exe
5740	regsvr32.exe
5740	regsvr32.exe
5740	regsvr32.exe
5812	regsvr32.exe
5812	regsvr32.exe
5812	regsvr32.exe
5812	regsvr32.exe
5812	regsvr32.exe
5812	regsvr32.exe
5812	regsvr32.exe
5812	regsvr32.exe
5924	regsvr32.exe
5924	regsvr32.exe
5924	regsvr32.exe
5924	regsvr32.exe
5924	regsvr32.exe
5924	regsvr32.exe
5924	regsvr32.exe
5924	regsvr32.exe
4276	regsvr32.exe
4276	regsvr32.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

5412 icacls.exe
6128 takeown.exe
3248 icacls.exe
5988 takeown.exe
436 icacls.exe
5400 takeown.exe

pid	process
5412	icacls.exe
6128	takeown.exe
3248	icacls.exe
5988	takeown.exe
436	icacls.exe
5400	takeown.exe

Registers COM server for autorun 1 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeLd9BoxSVC.exeLd9BoxSVC.exednrepairer.exeVBoxManage.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	VBoxManage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	VBoxManage.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

Processes:

LDPlayer9_ens_1001_ld.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	LDPlayer9_ens_1001_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	LDPlayer9_ens_1001_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	LDPlayer9_ens_1001_ld.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	LDPlayer9_ens_1001_ld.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

608 raw.githubusercontent.com
609 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

flow	ioc
608	raw.githubusercontent.com
609	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Program Files directory 64 IoCs

Processes:

dnrepairer.exe

description	ioc	process
File created	C:\Program Files\ldplayer9box\x86\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\host_manager2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDTrace.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxManage.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI64.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSDL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_CM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Gui.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetNAT.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxProxyStubLegacy.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVBoxDbg.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxProxyStub.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\EGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDbg.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libssl-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VirtualBox.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dpinst_64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libOpenglRender.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTIsoMaker.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-process-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetFltNobj.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 6 IoCs

Processes:

UserOOBEBroker.exedism.exedismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5756 sc.exe
5780 sc.exe
5328 sc.exe
5092 sc.exe
4120 sc.exe
5652 sc.exe
5768 sc.exe
872 sc.exe
5460 sc.exe
5620 sc.exe
3660 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5756	sc.exe
5780	sc.exe
5328	sc.exe
5092	sc.exe
4120	sc.exe
5652	sc.exe
5768	sc.exe
872	sc.exe
5460	sc.exe
5620	sc.exe
3660	sc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dnplayer.exednplayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5696 taskkill.exe
5328 taskkill.exe
5608 taskkill.exe
5740 taskkill.exe

pid	process
5696	taskkill.exe
5328	taskkill.exe
5608	taskkill.exe
5740	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

dnplayer.exednplayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeVBoxManage.exeLd9BoxSVC.exeregsvr32.exeLd9BoxSVC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1F8B-4692-ABB4-462429FAE5E9}\ = "IDnDModeChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\TypeLib	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4521-44CC-DF95-186E4D057C83}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-26F1-4EDB-8DD2-6BDDD0912368}\NumMethods	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7532-45E8-96DA-EB5986AE76E4}\ProxyStubClsid32	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735f-4fde-8a54-427d49409b5f}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8384-11E9-921D-8B984E28A686}\NumMethods\ = "37"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-477A-2497-6759-88B8292A5AF0}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-787b-44ab-b343-a082a3f2dfb1}	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\TypeLib	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3E87-11E9-8AF2-576E84223953}\NumMethods\ = "36"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E1B7-4339-A549-F0878115596E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-c9d6-4742-957c-a6fd52e8c4ae}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-cb8d-4382-90ba-b7da78a74573}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0547-448E-BC7C-94E9E173BF57}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\ = "ICloudProvider"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-ff5a-4795-b57a-ecd5fffa18a4}	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-604D-11E9-92D3-53CB473DB9FB}\ = "IStringArray"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08a7-4c8f-910d-47aabd67253a}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\NumMethods\ = "16"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8084-11E9-B185-DBE296E54799}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-ff5a-4795-b57a-ecd5fffa18a4}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC6-4883-801D-77F56CFD0103}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-71b2-4817-9a64-4ed12c17388e}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0547-448E-BC7C-94E9E173BF57}\NumMethods	VBoxManage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3\0\win64\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B5BB-4316-A900-5EB28D3413DF}\ = "IMachine"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8384-11E9-921D-8B984E28A686}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ = "ICertificate"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A2-41AF-A05F-D7C661ABAEBE}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\NumMethods	VBoxManage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\ = "IGuest"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-800A-40F8-87A6-170D02249A55}\NumMethods\ = "21"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\NumMethods\ = "76"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5FDC-4ABA-AFF5-6A39BBD7C38B}\NumMethods\ = "64"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	regsvr32.exe

NTFS ADS 5 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 693675.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.4.0.Clean.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 567161.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeLDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exednplayer.exednmultiplayerex.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1480	msedge.exe
1480	msedge.exe
1472	msedge.exe
1472	msedge.exe
1516	identity_helper.exe
1516	identity_helper.exe
4880	msedge.exe
4880	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
3244	msedge.exe
1980	msedge.exe
1980	msedge.exe
5272	msedge.exe
5272	msedge.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
5936	LDPlayer.exe
5936	LDPlayer.exe
5936	LDPlayer.exe
5936	LDPlayer.exe
5936	LDPlayer.exe
5936	LDPlayer.exe
5936	LDPlayer.exe
5936	LDPlayer.exe
1376	dnrepairer.exe
1376	dnrepairer.exe
6000	powershell.exe
6000	powershell.exe
6000	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
5936	LDPlayer.exe
5936	LDPlayer.exe
5440	LDPlayer9_ens_1001_ld.exe
5440	LDPlayer9_ens_1001_ld.exe
816	dnplayer.exe
816	dnplayer.exe
2408	dnmultiplayerex.exe
2408	dnmultiplayerex.exe
5484	msedge.exe
5484	msedge.exe
848	msedge.exe
848	msedge.exe
5268	msedge.exe
5268	msedge.exe
2412	identity_helper.exe
2412	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

dnplayer.exednplayer.exe

pid process

816 dnplayer.exe
2836 dnplayer.exe
Suspicious behavior: LoadsDriver 17 IoCs

Processes:

pid

4
4
4
4
4
664
664
664
664
664
664
664
664
664
664
664
664

pid	process
816	dnplayer.exe
2836	dnplayer.exe

pid
4
4
4
4
4
664
664
664
664
664
664
664
664
664
664
664
664

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 46 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer9_ens_1001_ld.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exe

description	pid	process
Token: SeDebugPrivilege	5440	LDPlayer9_ens_1001_ld.exe
Token: SeShutdownPrivilege	5440	LDPlayer9_ens_1001_ld.exe
Token: SeCreatePagefilePrivilege	5440	LDPlayer9_ens_1001_ld.exe
Token: SeDebugPrivilege	5328	taskkill.exe
Token: SeDebugPrivilege	5608	taskkill.exe
Token: SeDebugPrivilege	5740	taskkill.exe
Token: SeDebugPrivilege	5696	taskkill.exe
Token: SeTakeOwnershipPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe
Token: SeDebugPrivilege	5936	LDPlayer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exednplayer.exednplayer.exemsedge.exe

pid	process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
816	dnplayer.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
816	dnplayer.exe
2836	dnplayer.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

msedge.exednplayer.exednplayer.exemsedge.exe

pid	process
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
816	dnplayer.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
816	dnplayer.exe
2836	dnplayer.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe
848	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

SystemSettingsAdminFlows.exeLDPlayer9_ens_1001_ld.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
4208	SystemSettingsAdminFlows.exe
5440	LDPlayer9_ens_1001_ld.exe
5936	LDPlayer.exe
1376	dnrepairer.exe
5636	Ld9BoxSVC.exe
5616	driverconfig.exe
2636	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
412	MEMZ.exe
2636	MEMZ.exe
1568	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
2636	MEMZ.exe
2636	MEMZ.exe
1568	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
412	MEMZ.exe
2636	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
412	MEMZ.exe
2636	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
2636	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
412	MEMZ.exe
2636	MEMZ.exe
2636	MEMZ.exe
1568	MEMZ.exe
412	MEMZ.exe
412	MEMZ.exe
1568	MEMZ.exe
2636	MEMZ.exe
2636	MEMZ.exe
1568	MEMZ.exe
412	MEMZ.exe
412	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1472 wrote to memory of 4072	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4072	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1564	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1480	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 1480	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe
PID 1472 wrote to memory of 4624	1472	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://.ç
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa13953cb8,0x7ffa13953cc8,0x7ffa13953cd8
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
2⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
2⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
2⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
2⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:1
2⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2608 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
2⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6104 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
2⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
2⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
2⤵
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
2⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
2⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7492 /prefetch:8
2⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
2⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
2⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
2⤵
PID:796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7784 /prefetch:1
2⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
2⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8188 /prefetch:1
2⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8320 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5440

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5608

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5740

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5696

C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1001 -language=en -path="C:\LDPlayer\LDPlayer9\"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5936

C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=721394
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
5⤵
PID:6108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
6⤵
PID:732

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
5⤵
- Manipulates Digital Signatures
PID:352

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
5⤵
- Manipulates Digital Signatures
PID:4644

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
5⤵
PID:5208

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
5⤵
PID:1668

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
5⤵
PID:2868

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
5⤵
PID:2148

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
5⤵
- Manipulates Digital Signatures
PID:2892

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5988

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:436

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5400

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5412

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
5⤵
- Drops file in Windows directory
PID:5436

C:\Users\Admin\AppData\Local\Temp\A66F6CAD-8A69-4215-ABD1-9FABB022BB9A\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\A66F6CAD-8A69-4215-ABD1-9FABB022BB9A\dismhost.exe {4DA81FD2-187C-43F3-BA63-496E6B154615}
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1512

C:\Windows\SysWOW64\sc.exe
sc query HvHost
5⤵
- Launches sc.exe
PID:5652

C:\Windows\SysWOW64\sc.exe
sc query vmms
5⤵
- Launches sc.exe
PID:5756

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
5⤵
- Launches sc.exe
PID:5768

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
5⤵
- Loads dropped DLL
PID:5740

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
5⤵
- Loads dropped DLL
PID:5812

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5924

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
5⤵
- Loads dropped DLL
- Modifies registry class
PID:4276

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
5⤵
- Launches sc.exe
PID:872

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
5⤵
- Launches sc.exe
PID:5460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796

C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6128

C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3248

C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\\dnplayer.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:816

C:\Windows\SysWOW64\sc.exe
sc query HvHost
4⤵
- Launches sc.exe
PID:5620

C:\Windows\SysWOW64\sc.exe
sc query vmms
4⤵
- Launches sc.exe
PID:5780

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
4⤵
- Launches sc.exe
PID:5328

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
4⤵
- Executes dropped EXE
PID:3728

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
4⤵
- Executes dropped EXE
PID:1444

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
4⤵
- Executes dropped EXE
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
4⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffa13953cb8,0x7ffa13953cc8,0x7ffa13953cd8
5⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
2⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
2⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:1
2⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3073778928835204618,12294607831956112454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8968 /prefetch:1
2⤵
PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4288

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2348

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1556

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOnRdp
1⤵
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:1112

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C8
1⤵
PID:5596

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:5204

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2820

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:5456

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:4508

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:3676

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:5984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5804

C:\LDPlayer\ldmutiplayer\dnmultiplayerex.exe
"C:\LDPlayer\ldmutiplayer\dnmultiplayerex.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Program Files\ldplayer9box\VBoxManage.exe
"C:\Program Files\ldplayer9box\VBoxManage.exe" unregistervm {20160302-bbbb-bbbb-1822-000000000000}
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:5900

C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2836

C:\Windows\SysWOW64\sc.exe
sc query HvHost
3⤵
- Launches sc.exe
PID:5092

C:\Windows\SysWOW64\sc.exe
sc query vmms
3⤵
- Launches sc.exe
PID:4120

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
3⤵
- Launches sc.exe
PID:3660

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
3⤵
- Executes dropped EXE
PID:200

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
3⤵
- Executes dropped EXE
PID:1168

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
PID:988

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:1784

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:2976

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:5128

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:3924

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:4164

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:6080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa13953cb8,0x7ffa13953cc8,0x7ffa13953cd8
2⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
2⤵
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:1
2⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
2⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
2⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
2⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
2⤵
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4120 /prefetch:8
2⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
2⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:5972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
2⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
2⤵
- NTFS ADS
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4020 /prefetch:2
2⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
2⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
2⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
2⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6936 /prefetch:8
2⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,11823102856878553931,11445195642695691325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
2⤵
- NTFS ADS
PID:4276

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
2⤵
- Executes dropped EXE
PID:3448

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:2728

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:412

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:5664

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:6040

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:4812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\LDPlayer.exe
Filesize
55.6MB

MD5
260b2887efcfdfe32b681d72b92a1bd3

SHA1
7b031668c89362fbfd1c81a7273faa4490ab63e4

SHA256
dbf2ad017ad934dbdf82e87a13599c37ed36f8aee7e2b75520ed5217cb45bfc7

SHA512
c41f59f9ca8ee3d678a9feb9838df099476fe08e9a62a70638f9401edd0acc26c4d7b733a0d66fc5c75291a455c93f4a182a749637da74667d21ad8e200a8d53

Download Submit
C:\LDPlayer\LDPlayer9\LDPlayer.exe
Filesize
89.7MB

MD5
f6bba63600d858342ce4d0b4bbdd125a

SHA1
a34206e6e2073dc51d24e8c5239a148f7ab41c49

SHA256
0b8c7dc4260aa805be4df4008451def708358d7177c90122ac070276873e38fc

SHA512
c9b32f7665f8bd85eeea0f633e2ee715879f07c26def5041f3a2f2fe4c999a24425d6d6b9b1b689a8e358929b2d58f78a3dd0619a106ccd8fe57b96450ab18f0

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll
Filesize
51KB

MD5
66320b2085eaef1c436f6940b4bb8822

SHA1
6e92774138f43129a209c3fc80839c7726e9644d

SHA256
e7e8225ea6879d0e24be299dfb07b42876157b221e2c01ede29b6da675e830e0

SHA512
2a66ed15503c57059dab50128c5d1167f8afd152d5cc84383472db41224bddc4552a9a69a3f59bd820d42fe68a73f45cc5f00a3df3f8172ac744cc432cea4b54

Download Submit
C:\LDPlayer\LDPlayer9\device.ini
Filesize
91B

MD5
dba7fefc48f3b90350effad166abf887

SHA1
263d9ceb08d10685ff4222d7c89cb563d2c411f8

SHA256
02cf1d1f11940dcc79c52917a12f52f3a0b3aa3a381ce86d86d3a15c50ac5292

SHA512
34789e652fc0155e6d18e779d57fdea51c4fc439f96313e0d5290558402d4171d8f8abdcca31d01eb5d50b0bedbaa68b0f70d47df8a4ab714a4f40e6c5a1d2ab

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
Filesize
1.2MB

MD5
04a464934784e7681b746ed70ecb6c77

SHA1
b8ad32df8d90796ac6a4fc6d4b8d59ee88501eef

SHA256
4dae61aed5c1adfa37c21bb78b3feeb5eb8a0cb1a75f3a6efdb9cf7bc50e28e3

SHA512
569f8004efb04788ec896f87e8839852975010f12ebbbe5fa833875f60abf55d9c0a18015eaddc05433c8a33e51804feb4e6778f5f1470eb5ab8be102559b2ea

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe
Filesize
4.1MB

MD5
e93f70db0980cad4fae75274d4ae4840

SHA1
d20768191c856350bbc2bdef574e10c6d831bc70

SHA256
379cbb322e630b1335e9465486dde95cfe0cfbfc0e4251abef7f5c7bdc3cf856

SHA512
216d85610f3c32aae61289298527c4bc4fc41026c107250ebff1fb4e07d1277d1183b2355e20042c7f66387453463bd3a08d06ca1fb630145440adba145caf9a

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe
Filesize
7.4MB

MD5
3b5c6c51c3e5f4eee13d7c03c4a6c20e

SHA1
c5dab0f6092fcb89fc8129bed5442b9eb834f12a

SHA256
bae53483666ae4d8f707fe77a469a813dfc97fc0fb76511d45559e10ae7027f7

SHA512
26b34f0c627f082ff652cc5389aba6e14b75d692319ab32b4fcdcb32befa003ce1038effdad50a2d3eef09af1bfde3afc691d63f4cd6e10603d75224f28f1154

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe
Filesize
8.4MB

MD5
fd8169a37ad720990884c6164efe5f95

SHA1
ddb9641f670ece378105a2df55eefca03357aad4

SHA256
f1ae09523b93deaa142830efbf22248e129d776292cc00e99bceda0bdd514ef1

SHA512
03215ae256e894b2185c3be3a365c56eb60c9bf70bc4cd1d480c459781a82606b8fc25cdbac6393063b45177eea06e700859e036bc2ac6a35695e99c05297961

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc
Filesize
5.0MB

MD5
f845753af4cc7b94f180fb76787e3bc2

SHA1
76ca7babbb655d749c9ed69e0b8875370320cc5a

SHA256
a19a6c0c644ce0e655eaf38a8dbddf05e55048ba52309366a5333e1b50bde990

SHA512
0a3062057622ffcff80c9c5f872abdf59a36131bfc60532c853ea858774d89fed27343f838dfe341dafe8444538fc6e2103d3aa19ef9d264e0f8e761c4bfce81

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf
Filesize
3.5MB

MD5
7e812614952563f90ea9e8d2efccc2bf

SHA1
5ec95d533f0f4b9b6dd97ad0af57d162145f9f01

SHA256
f0eeb42843a61d734203b8259a22ad6c3d023e92cf0a71bf0600f0db53c2dfbc

SHA512
546c2dafa1cdf53c728aedb136ba8c522eae9b2530c948d9b650c30b21613166751b7a9522269dca9a35053cfe3aca2f7e606419d8e24a4d78a776dda5f97fd7

Download Submit
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf
Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc
Filesize
4.8MB

MD5
26ca9c872177cf0ec91a91e2f9d8120d

SHA1
55fc0849e49ad3a95f9b279b7ef19ee7f3ec22ae

SHA256
fabed620d94f423f134fe9adf7d88dba3bbac7be1ded13e0845e889e44c02661

SHA512
e1946ae4121735e9f96fd7be92694844fc2464af6de6be6956893a45a725ad8965d53aa7a9a0bd00b336187a9c4c8c0188ff4752d1e242c8422d4135be3ba3f8

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll
Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\msvcr120.dll
Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk
Filesize
8.2MB

MD5
0625fa50c4369eca25c18035d8046eb1

SHA1
60a12babcb40526bec1a40d106479de785956db2

SHA256
13a1772dd1a3288a8e8e4ae7a8022870cfab96af349c4070c0a78012edc88089

SHA512
7d4f6ee3c0ef1667054982290a5c645c950d8cd542e78d8fc6f30f448e4c95e67133f2b0c785c2515ade9886d281af5bf2600b6289f662d48f0b58a6a5dde545

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk
Filesize
8.1MB

MD5
787fd7455a70a462e27c005c69306ddd

SHA1
47c4dcc441ae183605d6bf2b2822547b05c8d585

SHA256
ed5d085452dff7cbf3fed892d023da64d1926d55e38569f8d9b622b965799ebd

SHA512
0340162f08a62ba748b6bf07658179c96793fa03a7bb55f4fea0892439f41ef1862555f63f0c475f26af5f75b0d170fec4cdf105d44192f14e0e34290597240f

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk
Filesize
9.3MB

MD5
7f9b10b7391171a9ceb1a661607d89ab

SHA1
c4e04220bc0aeeb622646dace7017532c21e1653

SHA256
02235d570d63fa3c4a34e31106f8327438748535dfc2b9d7e4d2ce82580ae160

SHA512
916d58f9c9515463f57f898520f175dee7a776da9e0c2c21d23a9612efb3ef50dfc55421a3a589f3f64716300960eccda0510038632de66a6d32b46acee931c0

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
Filesize
641B

MD5
ad4b5e16ea8135588dc4efc38db0bdee

SHA1
c1ffc6ee777ec6b1314b01be4e0aff7dbaa626f8

SHA256
0a741c6327619d394fdb84484f52584ea2577e5d95915964c8cb6c875d300788

SHA512
670f3e6d38be9d94367cac8259da66009cfbdfeffadab15834ba21ba85c7cd3a17d322ea2e001dc0ad19e16e9592f01bfa7323a4c4c347b1f3dda73c69c477a9

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
Filesize
13.1MB

MD5
20f0c472d4c56888c7a2b1531c76faf6

SHA1
c9612728fa4892a0fd9989b9f4f78dfd605dd32c

SHA256
58182545504c63b7683a1a9d09cfc3266036ed6e69affc8495acdffb13428f95

SHA512
4db1342b49fc2841fbfc69b0e131f5cb0ca3f33c25de1792997f627074f31c1f48a67a770be529714a75a3accea781d85324073e20267d946d7a362442d9a700

Download Submit
C:\LDPlayer\ldmutiplayer\libeay32.dll
Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
96899614360333c9904499393c6e3d75

SHA1
bbfa17cf8df01c266323965735f00f0e9e04cd34

SHA256
486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

SHA512
974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1423c1a528e7edc20b7f2c4b94e6bacd

SHA1
e7d7285afad7b07ed6805f31d4fc3bb3f7f0242e

SHA256
498a177a3e2edbfea97c14353865421c078f73d84e7619bebd36d77c5b1317da

SHA512
870217847a95fe38049f04734776fa604f84d830d5b5bf6b753620afde7d0800a26c96c77d66fa6c79d6b369853b27487f010c2e6661acecab858a3156bd3106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2c5433e3aec0e7a9da9726637867fdc3

SHA1
7f93f26c987ce7218f46659ba777e23c5a68660b

SHA256
a3753cb5fe6ba511b56ecc69c08f93ee7bd6ccc6d7a89b5e6c68f5c2e0b9e8a9

SHA512
cf1c3e0c2b46433ecfbf98d0bc831a66a752a2bfa7df8ed336fdbf7220ab7cd6506c73535687271b9e261951f0d825e7335de36afb3967edd96f71161d744f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
19a8bcb40a17253313345edd2a0da1e7

SHA1
86fac74b5bbc59e910248caebd1176a48a46d72e

SHA256
b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

SHA512
9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\026afd04-04bc-499f-a0b5-d70de4baa177.tmp
Filesize
3KB

MD5
fc4944618d726307651c116a3b6c07a3

SHA1
df5eac48d222aa23584f1a6c1f47b7467e392970

SHA256
8e9e7447e6cc931c001a6d4945143784825c03f5bb3b20f737bd062733eca8b1

SHA512
5ac635e88ab1818ff310198888edf4c0e2a82bf2251367bbed8ed36e88466f515d7483261dc1c40e6821649d6a27443bd5389a49d90cc41109a1734218d10ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032
Filesize
25KB

MD5
05e9679509b61424a07cc4d4efb7247f

SHA1
db4fcfac1d89c7e4f0bdbea9023034b64a9dbd81

SHA256
31798b2630a882be758010dfa51b12026c8fd81f0e4068b38fd739cac78cba0b

SHA512
1cbe7343e19b41f3f116a93d598d7b67779d29c6bc0a7b086d112dfcc76fee60811290b67b5d2561751700be483f6cd460b9b4c8325397813314ba064e4c2208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038
Filesize
23KB

MD5
b598f33d037b0af8744a4a6dbf9a8f41

SHA1
35eb36d6129bbb54c02c5e433013926961d5c3dc

SHA256
fbf5b0c915e03d804b5febb071c11931c4df675d87bcab94f430b92ccfdc571a

SHA512
405bc6b42d6969adbc4cf4802e052d962921c37f6c4e03d2384b3bed814ff68625e67c9005dc0ee109674df473fc5bba7ebb1b67f7802924dc6723328ad242ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a
Filesize
16KB

MD5
cfa2ab4f9278c82c01d2320d480258fe

SHA1
ba1468b2006b74fe48be560d3e87f181e8d8ba77

SHA256
d64d90cc9fa9be071a5e067a068d8afda2819b6e9926560dd0f8c2aaabeca22e

SHA512
4016e27b20442a84ea9550501eded854f84c632eeced46b594bcd4fc388de8e6a3fbfe3c1c4dbd05f870a2379034893bfd6fd73ac39ef4a85cbf280ab8d44979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b
Filesize
29KB

MD5
d453eca18d366c4054d2efd57717cf9d

SHA1
c7b0dfc73bb89d8f0a94e2cde0eeba2b5e07d5c4

SHA256
be8f4fac2d40747a0adaecc6f1befe81b254a2b12bf25ce01d7194b374a457fc

SHA512
a6f770c9e4058e8c17f3f72a245f76075441e07507ef05d455108e1768ca2a93f851b92335b33c1de61cf941cf135b0be4698d3d551b54132b2d5c882fd34835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c
Filesize
65KB

MD5
8a42ba5472aa4afa3d3ac12f31d47408

SHA1
2add574424ac47c1e83b0b7fae5d040c46ac38a7

SHA256
759bfec59bce5ddea7751b7f93408074a8c27cb2c387b08b6b9f4aa111266ec4

SHA512
3e1081a6e1c29f6dae28ab997c551a6d107d4f4b7e0981a19ba81a30a4e420dee1791321dca8f4b500c9e7e4a41c5e5c75013a72e5a5cde3f7e6c50393eb10b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
a58a672afd4e41d903dc94e0b53ba04c

SHA1
18016dcc4d6708f1655a5ae73a4d2e53532779b4

SHA256
8b234359a6dce264eddc9685aa9cfedc3207068a2ea237e6b33676fa77c9c082

SHA512
9846f65dd7c85008bb02fdc602aa7ae41f72d42a349e6e5353191d6f6136db849b4ed8ad64fcf66045964da157e643c74d7157881f4e7c9164b084e9614eb73b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
6KB

MD5
aef3e655e54167e31f08fa2de2af48a1

SHA1
ba401f9a1568191151e6efbeaa9bb76c957a5e30

SHA256
258b86b78b7a8c90d471984f6ccfe0f909dfe5f5158b7314a560abdd6e40057d

SHA512
210ac9f845be6b7e7835d896933a9fb7b1d5df715473d30a61c258cc706b3cdd34e9b6870d19a8845257436b2001c5cfe4646f2e26fef7c4e8556148c7f218d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
6KB

MD5
d09131063118212a0496fecc9bccafd9

SHA1
af8c235764e46020b32ddd952f071fb223c278d6

SHA256
faa922216a9b01bf6d0fb9a741b42985789797846f7e85a2a613019b6e115265

SHA512
c9d8c76789ddf01fddba9f73a8496eaabc4433d80f222940c6b672244e2d0d48c318db7b5efabbde97e2086e8f520d102d7e11469128be4f731d4107e96dc552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
7KB

MD5
f35a937d5b9f1918f8c6ff0eb2e4e91e

SHA1
ad674a65c5511467a0a6190810deb3ff9f0f5b66

SHA256
079afa628557563641f2df7ab2bf9259dafb082280798c3d01db797631c3324c

SHA512
27be63c18f44fd4330e0ba072db2230838d02770f1a9f457d205c46e4d80471ad45b4d65fb32b1d47bca6e22a3824183e1c6c84072aff96bba6723f03e9d42fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
897ab94355ae771f4d944e0bf29f0852

SHA1
a3b342c7f25b3b17fbe136775b0d1554557a4c4a

SHA256
64b807d3c9b89c4b20ea54a76b3215d2d1defc3907c4d89f8035ba8cfdd28fc4

SHA512
0f993c38745423a9cb792ce4590075d536b7d17f8e132dc8849ade67b92b1b2802f47e6c9fb23d6e14141beb50f5e82bf59cccb09497b69c925956f0989310f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
9KB

MD5
5f22771d6d74f91b678d67f90e671b1b

SHA1
92e419c273c578ccc7694ed79079486fe8fa1b34

SHA256
25ea9c3a51d149a9aa54990f11460ec7c84a05edd1658e5776da8a2e9e0b2576

SHA512
72b59b96831e9e767b8f33bcc5edfe6b17ebe6539392f538f7fc8761ef7481335ac44ba69eab5a1586c7eeb39bc3914e8c517e0afd24a805683a1df3258e8883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
10KB

MD5
8ae22a87a577e96a8815c7cf81061aee

SHA1
81ac8a4699181f08e0e323fd89c4cc99cff10094

SHA256
96aad38c78a5d50e4254b7d2121225afb6d18488d3b76db14b390d915174fe2f

SHA512
5261e6924645a20cd63c30261185ea708fc1d69517814e6d76429a7c01158a26867c0131bf73ccb7370c81b551d653169d5875c35f035306d303002a110d7e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
12KB

MD5
26534dc4e91e44545591deb921cb90b4

SHA1
828750bd3ec0798bd07482e1ce48c458d7ea3de6

SHA256
218a0017e3bf7d5aa975e852f4542c65b0194f785a1ba5ba236fdf4fd380b3e2

SHA512
7b6f25d612a7548899f0287e5d5aa7f88ab3e0089ce929a50183adf4e7019b66b742bf1bdd8633a6078220dc74585116a17dbf0027ae94ec1d2dc4290e2e07d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
12KB

MD5
a0dd9ede2a682ee01cdd419b418db63e

SHA1
75b385f66544ac1253352a7b5daf9c94d0eef5ab

SHA256
4f62679fdba173e8ed129d2aa7f0727e02fe14fa10e7303da0bfa57e32190fa1

SHA512
4412b30e515035a3bf56f0c83475568488ac0d2d360e36232b6529d24cfd25cef8861d242b9f28b5ffeb26fa144da24820891bae20a6f8cb2d0a6c70e9473bdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
87de3641fc9f6d33c1408ed4b490312f

SHA1
d7ccdd76a7d93e00fc38d067a4525d0bf6e58ae4

SHA256
0a6504c63198b4ff5aa85e3bc5e2817b168207aee68fb43248c9f1a9cac2b64a

SHA512
dabc80093b0f2009c55fd7afc26cba763a3153cef2377f038bbd10c9225996265b2fe3edfb245a3c7abb00e8d8c664b64b91d715d94d8409effce60b49d4b149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7c5715734900cba29b77b6106d2a6262

SHA1
feaae7fdce8d4c3c27f5adb33dc189af0847fb38

SHA256
2aa44ca4556260152f69405cd7b8ae5dbbf458e98b13338c9587a92080fc362b

SHA512
09089c8888bbb945fc8eb98cacaa42804242a5492519132fd060eb4582ea7a6e4b907410d465adb16b0b7984b377e62bf3508c589119ef3e47c95b5c4e2bbb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
29816c32753718f1f31c3a5bbda755e8

SHA1
185b692504ef57fac9e19e7d547dbdc2bda7a476

SHA256
cf02ef8b7cff7a853a18324e08e061c7de51a71da6fb5a2f5e355479bdabb197

SHA512
4f6a81c283a6eee133ee5d9e96d347a5ec7e40ac281a1166ebe7fb2115acffbde4d82b0a9e776cba23de42d17269eb7108cf72458c5ea25b3452044f17219026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
d2a60eba66fc0bcbb78125ab3770a230

SHA1
a936e8acc87c45717ad9d9f33f8024df04625534

SHA256
f1efbfe1131ea21b89e3d8552e5b0e3e2dbcb42f223f8fc3df1a2742fb1c487b

SHA512
4445079e12d85b1014cc4277fede129a8adc116ac6d7156fc8189ab8275d8fb439e6e320424e0ade09382a03ab1d0e118bb13a6e35fcac490eb114fc0aa3969e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
485fabea22e613efdacb43e88ec53c13

SHA1
cf22445309b56c03039a02b8040853208d14a578

SHA256
2f4ecda890034b5e1190c54befc41af97329c934d813aae575386c492e856720

SHA512
9aebeefbe4ec5f6920dbc9b48afda30f6529aab79bd0b00d118aad7b007ef6346892c188a59d359772add4c3b366dd1bc9afd48ae66a3fe75c0f735d2b291cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9a1fc4878db2f991817cc8c2a603bf84

SHA1
779e38ff11b5658c0a20aa2e961d04cc6bac3e63

SHA256
492e29020644d49aefa4a9c631bb16f706babf0ab9f0f8787885059ee05a398d

SHA512
238b38729e0fbaa84c6ff73bb7c4bb58e332349faaec52476764e130d964d4b44b1cc3c5660361c95a280bb72c04c7b130ab6bce3fc6c9e7fa9d0ece57473c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
12KB

MD5
69dac990ece86ba3d20d804749697516

SHA1
8469fc01f51a849f613c02ea31beef746f18ca99

SHA256
a8379b15261598378dc2d3591a454866e889ee02fb3290f8517c4302a7f81312

SHA512
9a99fba9db51afb58968b6bf903407e89fc77bd1c65f528e9f60456411678baef3a0aa423a48ec9cf058d9592bd3a88d90134f58397803c4d316c871f669511a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
15f8f2a9e306f0360c5047048539bc55

SHA1
6cb1628b56a159480618097e1e667e093f3241e2

SHA256
826a5e93b54c07c16703e432c09736426b2e6dca5fcf6dfdb3c2b797fc11f0c4

SHA512
e2709d4a36dc7910834abbe30c2171f64f11231b6a90859f23e669405a82723316318544e0dd160c99def34e1b62f1fbf6c29cd2449f7d3c11f4089fed7974b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
a28e47b6551592dddae4f56eaacd1e74

SHA1
d8050e397c31cacf12ef0d3d52c7efc3f9c18a3f

SHA256
307b43b488380c65d97f970d80bfbbd7fd76c8bcb89d72acff6511b14ef970f7

SHA512
1d63bca763dab0ea55234563697947deb13851fd45d3fc48c20f08aa9df14f316475dc711448906f51388dd8211c5f5651f2e2b6075702980edadb290ef84a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
3f99ea24965540893338046496954fed

SHA1
d47fafcc5334df61cd9369278d5ca8b62f3b03ad

SHA256
e80a17fe0759b92605412d69925196a8ce6e13cb415ba8ad9d7b270410952905

SHA512
8fc817b7fd8f81571167c15834c260fec3dffc444642fd0e47729fc5c97bd2c826426a4e8e8bd1e887c5d4cb65d985927ea62b6b8ca4ef6fbe7dbd38a6e8be6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
14KB

MD5
8a0f5ec280c74e403ee896c9ceca7ed9

SHA1
33a1953052c9ba5d7018c2c3d8310a172ad255e7

SHA256
7b9375a9e6d1ded22e09b2fd43c743f70f45949932011d45eaf280dbfc4f3d66

SHA512
c23ef17cbf64537c49275ff0c910bdc87fa45aded1951955bdb3b94fdb845775e3900c10315dbcd2f82563a2b10aacf6848b52cafeb83f7ba101ebd65248d08c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
65fe7a23e02ab86530d1a01c1ba460fe

SHA1
834dcfa3e2b2e46a1cb586176c7f4a25d7ffcb5e

SHA256
fc366890b37d571e21df3a3a2fbd7298dcbb6cd23b9f19620a98cc66de16aa77

SHA512
c78840f7d954b8753727dbd127e6e813d5155b8f674d505e7ccfa28a80df1d6dbaead42caa503bcd95b4ca846a1793dc07de7f659b3a5a9a46cadc02f4ca5eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
bf53c20a72fa32c298ddf70e88d88fcd

SHA1
f0c8e2ad6edf3672889643c4a5cdef2054e980ad

SHA256
26afadd6df9712b5616cfd9ac02a6e862c73cfaf09754d04c45e433dd4dd7548

SHA512
684146046a9c99edb509f2e4d13b4515553d55e1c2c3358eeb781448ac89fa07d5b3e2879056726cd387779a5783779738ce77dc2dee42ac59310f383afd7606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
9389ea2356897c5811a5985943e380cb

SHA1
72ff61cef1faecca442cec916cadeae107de59fe

SHA256
b0eff045df6668a54ec0fdf99de5df781e2855771e2eb7eff51d5fa09e2f06e3

SHA512
b20d78a3a958f511df5df5e28136b959bdc6925c371ad5fb9316b2df167ffba47ebec97897970f3f66867d2170a84aaabae6568cfd7ae3f84bb7b6a2cbf1cd07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
53a7b36053055b91bde68d1d9e2775de

SHA1
d83c522b812b50978d026b669cbab8a86f8401f9

SHA256
11dcfb6f0f5f083b6b500d2fab16f9a98a968b7cf64bc0c988795134f72daceb

SHA512
133c74b70b9a58cb1559a2ac41f5628e6220a60fa9ff457bb08b5546ae007677e0e7557c8decef2faf435c4795b8890645e7814a3c48fce45201373fe8b53686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
4283c392018f1000dbe8bfa907e53370

SHA1
00256851ed26c68d82463098d9f95a9a6fb955d1

SHA256
40132420534516cd3cf88ae98dabcacbd867c3b0c408af3b1257143fbea2d516

SHA512
499c0f254dac4bbe987eb4f7ab33c3983907c309a66bc8b33cac2485394d4853bb37abe916255be9809dd32812fb821dcbd42ea95bf8d96542202bff41a6ed12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
f4786910578b38f4ffa51560687af2e1

SHA1
0416b539a25069f2f244fd1eab9ee55c42ae3b09

SHA256
2fcdf4f8cb8edc3113cb3d2b3c550f47dc414bf9ecc58ea65265df84caeb8df9

SHA512
00d417bbdb8f975190054e2a4dfdb86be042157b0609347922eb84b2d3152dc54fe867c578fbe2df50b818afd93f1c2eb57b1c931229767d9ea397ee7afddfc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
91ab1fc0a2699df524863bb675ab3183

SHA1
325af960423645212e53e4d6b6f1a30e18864130

SHA256
95c55e5191b0ed71501f34df292cc9fc1f6b40a9c0c44e9f6e633653a181eb23

SHA512
52b86e98795b29a36f75883fe8b2e4e254aff207699a5bccd255f5d519cb1ff0785c4711c1be3f593fd56487efdbd38d4c326e979f6f1c07c1ea0dc250e53a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
4460d528c1a5607f73105c747e7c7f25

SHA1
7298aa20bccc476b39992220f3fbec2b4b39d8c5

SHA256
f83b036562c3785a6ec3beab4d75c09f2c4b3a9faf3896d81e49b89a177afa83

SHA512
4841de52f9e613b4687ea0da8f2ac92817e08adde300c0c30ad4c85b62fd8c3760be62adbcb5f9c6cff053f6ee6c292099853490de561f99b06dba06b331e58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bf038.TMP
Filesize
536B

MD5
4e37f43692ffa2ac4aab75841e1e7383

SHA1
7584b6d09c0bc52341cec37804e83eb23e7e7d8a

SHA256
daef94d947fdf34d520801996b179dcfd07880dba3858ce6b367ed67a99df8ed

SHA512
40ec823eabaa651ff39cf404cd178fcc9a1137a21aac6d182978b6d6ce3eaa696f9c64671a7c3f540df70793ea63a33610a6492b0dde94811bf6b4b58823e5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
231b4f82509ef0b427ba394202fa98a1

SHA1
d0fca3d9aa12429693348e21126ba19c77ea17ef

SHA256
d941af776b4d0708ef384b1f5abfbf98af1c28b09eb013e7c69896aa782adc35

SHA512
13e738e57b4d5038c715aa46267626a4c88ae5cb03d119da707280b4c94eb87dd1c5bf962100b30a3ab8c2e2edda8890e0584dc7f5020a23bb42ebe70906d833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
fa5a55ad3adbe2d83cd760116268a0fb

SHA1
b9e518b81dddae38b52f20c8d927d74c7eebc129

SHA256
bbbca9a7c4ad33d961e8eb2d2b128e79c3e88ef039a0e4f39cd16a52823ff9e0

SHA512
916763a04e3a7baa46ec018dae53b79f4b6680150f7ece8125ba389d0fd73164a8cbe44884455d64b61193ce4af4b97d9fef3a1c85e2500b10135041b0d3c8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
99677f88c456daf45e6c19b23c5b9ae6

SHA1
b9dbf2286cd797adfb9a2e90064f4e5807328321

SHA256
81757a67e2b441c3a0361cd09f88d997690624d51e20b918976fff76931b527d

SHA512
4e4f45063ad24586cc43253bf61ae3139ac8c3df0e180ae958018f2b9a88bca5b345d44a81d0cdec342ee9af3d46dc76a5db69198ab65763258a83d829bb405c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
5c9d61bf94e6327958642aa5e14e73a0

SHA1
777a7845d074f32c8f132494b5bb6a8a6ce11732

SHA256
eabe419b11d82d28be0278c71d0e74e7c11e92888e3ce8c8b37ebf340ecea333

SHA512
baaa0d707c6745f2f67a08994d256333e0e674070dbd823e7926bfac500e9afedb0a398fb78a02433e52f6744ebae552cabb73dd8f4a345633fe1e60b247d887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9073e876d1cb92ae3523d733bf8174e5

SHA1
a3958330da827d5a26315c301650e53c1bd4c905

SHA256
a205e0da2c6bca675b7b301b2a8eefcbe28c7d7d32f990e625c2175390bfe9cd

SHA512
d22d98aa20a105d8d381e934d37f83b52c327e0da8a2124e611602216bbfafa07132cd10f141d021352011c75b44b43bdb4e3a0e8efa1e314578fd8280965503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
1a6137a52e9602a99798c6a0dbaf6664

SHA1
87e19abc3026f827fc229e32aee442df0b3c3bd1

SHA256
aaf2adc1797e72a59fdcc9854383ef4a86f41e112d1d043d4966ff2ef9d019cb

SHA512
b04221cd50edbe10645ac0343050d55231790ed0cc7454fdb902844dbdb47b97608a5f23af663d85f683a347befcefa86a20ddb19d11eaed1c3aa296e1deb72c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a94e00275da469f9ce404f804b75f919

SHA1
a263deac996b036175b1ae9c8598c1078ae3c1e5

SHA256
d9ef84f003cf1cd62f5aa830e58fdddd66838d58329158140082889410e58ac6

SHA512
4125695fa58a60fd5b288102000a9a865bf483b7a869cf2a3b34b8589e1ebb042bb43ce4d1a74a189c605c01f158001c5b1f94a2b3825c6d25863612efef0da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-3-5.856.1556.1.odl
Filesize
706B

MD5
482379e7e46cc0921d8364af420c6a3e

SHA1
ba8c4b6d9c7516111087c12b1b369ab37d7584d6

SHA256
86e1bd7799055c4cd321fb133d5c30d746d4ec0925e3d5cc9a51b4b6ce91f754

SHA512
6e356274cf5255b6998065da29d60efd93fe8b1a765f28a4967d872b6cff172845dbfcefa5c57420ffe070794a7a22205de37e2f2035a3db7259c41d203b4ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A66F6CAD-8A69-4215-ABD1-9FABB022BB9A\DismCorePS.dll
Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\A66F6CAD-8A69-4215-ABD1-9FABB022BB9A\DismHost.exe
Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A66F6CAD-8A69-4215-ABD1-9FABB022BB9A\DismProv.dll
Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
67KB

MD5
7d5d3e2fcfa5ff53f5ae075ed4327b18

SHA1
3905104d8f7ba88b3b34f4997f3948b3183953f6

SHA256
e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4

SHA512
e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wekerakr.zhp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
Filesize
73KB

MD5
17d9dc994ce3a9934563ba26587cfcba

SHA1
9fc5665dba616bacceb1e27f9828a431b0890c88

SHA256
15c21be4137e8c5724ab7da3c3fcc1b7e58a703636999841c5a9909b4b087217

SHA512
97d4c50fe7e8edfb8c81f287c422eaedec14c2a270f28f14713ddf2bc5ad96d84633cd14459dc63c41ba567b3671856c30d55446e531652c0f9189336d1ed13d

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_1001_ld.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 693675.crdownload
Filesize
3.3MB

MD5
7c2e5ef59e9589422bcd5bf3726fbcb1

SHA1
c4dac6966ac4cd3500d6a7fe44138a0db639d507

SHA256
6870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd

SHA512
28870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
23KB

MD5
78208e551374c6323afbcf3f86457a1e

SHA1
6c621099fb6b592157f621eea1f387fbdd25790f

SHA256
6836f5072b4248e9e4156be3ec90de3db4c7d9f78e449d74bfc2e91f31d860c0

SHA512
6c013113842e1ab4c6e75263ea3082d5a44b1c0fbf671a9c73c0bb1e547aefea05f306843c98b40ff39d4162499ad859e0276fd2abdbf36ad201b8084f83c53c

Download Submit
\??\pipe\LOCAL\crashpad_1472_SFVPPMHEGCZDHZZF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/816-1578-0x0000000036D50000-0x0000000036D60000-memory.dmp

Filesize
64KB

Download
memory/816-2174-0x000000006F040000-0x000000006F291000-memory.dmp

Filesize
2.3MB

Download
memory/816-2173-0x000000006F410000-0x000000006F434000-memory.dmp

Filesize
144KB

Download
memory/1796-1461-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1796-1464-0x00000000734D0000-0x0000000073C81000-memory.dmp

Filesize
7.7MB

Download
memory/1796-1462-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1796-1440-0x00000000734D0000-0x0000000073C81000-memory.dmp

Filesize
7.7MB

Download
memory/1796-1441-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1796-1442-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1796-1451-0x000000007F710000-0x000000007F720000-memory.dmp

Filesize
64KB

Download
memory/1796-1452-0x000000006ED30000-0x000000006ED7C000-memory.dmp

Filesize
304KB

Download
memory/2836-2201-0x0000000036D50000-0x0000000036D60000-memory.dmp

Filesize
64KB

Download
memory/2836-2186-0x0000000001110000-0x0000000001126000-memory.dmp

Filesize
88KB

Download
memory/4208-1407-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4208-1439-0x00000000734D0000-0x0000000073C81000-memory.dmp

Filesize
7.7MB

Download
memory/4208-1437-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4208-1436-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4208-1427-0x000000006ED30000-0x000000006ED7C000-memory.dmp

Filesize
304KB

Download
memory/4208-1426-0x000000007F6D0000-0x000000007F6E0000-memory.dmp

Filesize
64KB

Download
memory/4208-1408-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4208-1406-0x00000000734D0000-0x0000000073C81000-memory.dmp

Filesize
7.7MB

Download
memory/5440-693-0x000000000A9C0000-0x000000000A9DA000-memory.dmp

Filesize
104KB

Download
memory/5440-685-0x0000000009C60000-0x0000000009CB0000-memory.dmp

Filesize
320KB

Download
memory/5440-658-0x0000000073DA0000-0x0000000073DB4000-memory.dmp

Filesize
80KB

Download
memory/5440-657-0x0000000005570000-0x0000000005584000-memory.dmp

Filesize
80KB

Download
memory/5440-653-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/5440-659-0x0000000007D20000-0x00000000082C6000-memory.dmp

Filesize
5.6MB

Download
memory/5440-660-0x00000000734D0000-0x0000000073C81000-memory.dmp

Filesize
7.7MB

Download
memory/5440-661-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/5440-671-0x0000000008D30000-0x0000000008D74000-memory.dmp

Filesize
272KB

Download
memory/5440-672-0x0000000008E20000-0x0000000008EBC000-memory.dmp

Filesize
624KB

Download
memory/5440-673-0x0000000008EC0000-0x0000000008F26000-memory.dmp

Filesize
408KB

Download
memory/5440-674-0x0000000009460000-0x000000000998C000-memory.dmp

Filesize
5.2MB

Download
memory/5440-684-0x0000000007B70000-0x0000000007B7A000-memory.dmp

Filesize
40KB

Download
memory/5440-729-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/5440-686-0x000000000A760000-0x000000000A812000-memory.dmp

Filesize
712KB

Download
memory/5440-687-0x000000000A700000-0x000000000A71A000-memory.dmp

Filesize
104KB

Download
memory/5440-688-0x000000000A870000-0x000000000A882000-memory.dmp

Filesize
72KB

Download
memory/5440-689-0x000000000A8E0000-0x000000000A900000-memory.dmp

Filesize
128KB

Download
memory/5440-690-0x000000000A940000-0x000000000A972000-memory.dmp

Filesize
200KB

Download
memory/5440-691-0x000000000A9F0000-0x000000000AA56000-memory.dmp

Filesize
408KB

Download
memory/5440-692-0x000000000A980000-0x000000000A99E000-memory.dmp

Filesize
120KB

Download
memory/5440-694-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/5440-718-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/5440-719-0x00000000734D0000-0x0000000073C81000-memory.dmp

Filesize
7.7MB

Download
memory/5440-730-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/6000-1374-0x0000000006E90000-0x0000000006EAE000-memory.dmp

Filesize
120KB

Download
memory/6000-1348-0x00000000734D0000-0x0000000073C81000-memory.dmp

Filesize
7.7MB

Download
memory/6000-1349-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/6000-1347-0x00000000031C0000-0x00000000031F6000-memory.dmp

Filesize
216KB

Download
memory/6000-1350-0x0000000005EF0000-0x000000000651A000-memory.dmp

Filesize
6.2MB

Download
memory/6000-1351-0x0000000005AF0000-0x0000000005B12000-memory.dmp

Filesize
136KB

Download
memory/6000-1360-0x0000000006520000-0x0000000006877000-memory.dmp

Filesize
3.3MB

Download
memory/6000-1361-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/6000-1362-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/6000-1363-0x000000007FC80000-0x000000007FC90000-memory.dmp

Filesize
64KB

Download
memory/6000-1364-0x0000000007870000-0x00000000078A4000-memory.dmp

Filesize
208KB

Download
memory/6000-1365-0x000000006ED30000-0x000000006ED7C000-memory.dmp

Filesize
304KB

Download
memory/6000-1405-0x00000000734D0000-0x0000000073C81000-memory.dmp

Filesize
7.7MB

Download
memory/6000-1375-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/6000-1376-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/6000-1377-0x00000000078B0000-0x0000000007954000-memory.dmp

Filesize
656KB

Download
memory/6000-1378-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/6000-1379-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/6000-1380-0x0000000007E70000-0x0000000007F06000-memory.dmp

Filesize
600KB

Download
memory/6000-1381-0x0000000007DF0000-0x0000000007E01000-memory.dmp

Filesize
68KB

Download
memory/6000-1382-0x0000000007E30000-0x0000000007E3E000-memory.dmp

Filesize
56KB

Download
memory/6000-1383-0x0000000007F10000-0x0000000007F2A000-memory.dmp

Filesize
104KB

Download
memory/6000-1402-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download