hxxps://www[.]bluestacks[.]com/es/index[.]html

Resubmissions

03/09/2024, 22:41

240903-2mjg9szhkh 1

03/09/2024, 22:36

03/09/2024, 19:45

03/09/2024, 19:41

03/09/2024, 17:36

11/08/2024, 17:42

11/08/2024, 17:24

28/07/2024, 18:08

Analysis

max time kernel
1080s
max time network
1086s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.bluestacks.com/es/index.html

Score

8^/10

discovery execution exploit persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222\FuncName = "WVTAsn1CatMemberInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "WVTAsn1CatMemberInfo2Encode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "DecodeAttrSequence"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
5064	icacls.exe
6484	takeown.exe
3836	icacls.exe
5068	takeown.exe
1876	icacls.exe
1572	takeown.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 23 IoCs

pid	Process
4140	LDPlayer9_ens_10080_ld.exe
436	LDPlayer.exe
5304	dnrepairer.exe
5932	dismhost.exe
6436	Ld9BoxSVC.exe
3732	driverconfig.exe
3084	dnplayer.exe
2104	Ld9BoxSVC.exe
3628	vbox-img.exe
3400	vbox-img.exe
448	vbox-img.exe
6348	Ld9BoxHeadless.exe
7024	Ld9BoxHeadless.exe
6288	Ld9BoxHeadless.exe
1016	Ld9BoxHeadless.exe
1368	Ld9BoxHeadless.exe
4340	dnplayer.exe
5212	Ld9BoxSVC.exe
6468	Ld9BoxHeadless.exe
5784	Ld9BoxHeadless.exe
5532	Ld9BoxHeadless.exe
2000	Ld9BoxHeadless.exe
776	Ld9BoxHeadless.exe

Loads dropped DLL 64 IoCs

pid	Process
4140	LDPlayer9_ens_10080_ld.exe
4140	LDPlayer9_ens_10080_ld.exe
4140	LDPlayer9_ens_10080_ld.exe
5304	dnrepairer.exe
5304	dnrepairer.exe
5304	dnrepairer.exe
5304	dnrepairer.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
5932	dismhost.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6436	Ld9BoxSVC.exe
6312	regsvr32.exe
6312	regsvr32.exe
6312	regsvr32.exe
6312	regsvr32.exe
6312	regsvr32.exe
6312	regsvr32.exe
6312	regsvr32.exe
6312	regsvr32.exe
6312	regsvr32.exe
6312	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
6172	regsvr32.exe
6172	regsvr32.exe
6172	regsvr32.exe
6172	regsvr32.exe
6172	regsvr32.exe
6172	regsvr32.exe
6172	regsvr32.exe
6172	regsvr32.exe
3220	regsvr32.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6484	takeown.exe
3836	icacls.exe
5068	takeown.exe
1876	icacls.exe
1572	takeown.exe
5064	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
655	discord.com
658	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\VBoxStub.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestPropSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetDHCP.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRT.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSDL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5OpenGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstAnimate.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2_utils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDbg.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuth.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libeay32.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuthSimple.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5WinExtras.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VirtualBoxVM.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_CM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcr100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDTrace.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetNAT.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qminimal.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6076	sc.exe
4572	sc.exe
3244	sc.exe
5688	sc.exe
5852	sc.exe
1352	sc.exe
6448	sc.exe
1072	sc.exe
7092	sc.exe
1248	sc.exe
3604	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_10080_ld.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
6096	taskkill.exe
6396	taskkill.exe
6728	taskkill.exe
6312	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133666639967595692"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0002-4B81-0077-1DCB004571BA}\ = "IDHCPConfig"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DAD4-4496-85CF-3F76BCB3B5FA}\ = "ISnapshot"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00C2-4484-0077-C057003D9C90}\ = "IInternalMachineControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20191216-1750-46F0-936E-BD127D5BC264}\1.3	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ = "IFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-394D-44D3-9EDB-AF2C4472C40A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\ = "IFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ldmnq.ldbk\Shell\Open	LDPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\ = "IConsole"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7193-426C-A41F-522E8F537FA0}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-b4a4-44ce-85a8-127ac5eb59dc}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ = "IDnDTarget"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\NumMethods\ = "23"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7997-4595-A731-3A509DB604E5}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-f1f8-4590-941a-cdb66075c5bf}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0547-448E-BC7C-94E9E173BF57}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1207-4179-94CF-CA250036308F}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-71B2-4817-9A64-4ED12C17388E}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\ = "IGuestFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7193-426C-A41F-522E8F537FA0}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1EC0-4C0F-857F-FBE2A737A256}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-762E-4120-871C-A2014234A607}\ = "ICloudProviderManager"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ = "IVirtualBoxClient"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-762E-4120-871C-A2014234A607}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6e0b-492a-a8d0-968472a94dc7}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\VersionIndependentProgID	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6E15-4F71-A6A5-94E707FAFBCC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2354-4267-883F-2F417D216519}\ = "IVetoEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\NumMethods\ = "26"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9E-43F4-B7A7-54BD285E22F4}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-808E-11E9-B773-133D9330F849}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2354-4267-883F-2F417D216519}\NumMethods\ = "18"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\ProxyStubClsid32	regsvr32.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 929600.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 95415.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1380	msedge.exe
1380	msedge.exe
3740	msedge.exe
3740	msedge.exe
4128	chrome.exe
4128	chrome.exe
4856	identity_helper.exe
4856	identity_helper.exe
6856	msedge.exe
6856	msedge.exe
6540	msedge.exe
6540	msedge.exe
5164	msedge.exe
5164	msedge.exe
4140	LDPlayer9_ens_10080_ld.exe
4140	LDPlayer9_ens_10080_ld.exe
4140	LDPlayer9_ens_10080_ld.exe
4140	LDPlayer9_ens_10080_ld.exe
4140	LDPlayer9_ens_10080_ld.exe
4140	LDPlayer9_ens_10080_ld.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
436	LDPlayer.exe
436	LDPlayer.exe
436	LDPlayer.exe
436	LDPlayer.exe
436	LDPlayer.exe
436	LDPlayer.exe
436	LDPlayer.exe
436	LDPlayer.exe
5304	dnrepairer.exe
5304	dnrepairer.exe
5916	powershell.exe
5916	powershell.exe
5916	powershell.exe
2984	powershell.exe
2984	powershell.exe
2984	powershell.exe
6108	powershell.exe
6108	powershell.exe
6108	powershell.exe
436	LDPlayer.exe
436	LDPlayer.exe
4140	LDPlayer9_ens_10080_ld.exe
4140	LDPlayer9_ens_10080_ld.exe
3084	dnplayer.exe
3084	dnplayer.exe
3084	dnplayer.exe
3084	dnplayer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3084	dnplayer.exe
4340	dnplayer.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
4128	chrome.exe
4128	chrome.exe
3740	msedge.exe
3740	msedge.exe
4128	chrome.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
3084	dnplayer.exe
3084	dnplayer.exe
4340	dnplayer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4140	LDPlayer9_ens_10080_ld.exe
436	LDPlayer.exe
5304	dnrepairer.exe
6436	Ld9BoxSVC.exe
3732	driverconfig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 4404	3740	msedge.exe	85
PID 3740 wrote to memory of 4404	3740	msedge.exe	85
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 348	3740	msedge.exe	87
PID 3740 wrote to memory of 1380	3740	msedge.exe	88
PID 3740 wrote to memory of 1380	3740	msedge.exe	88
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89
PID 3740 wrote to memory of 1696	3740	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bluestacks.com/es/index.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd1f746f8,0x7ffdd1f74708,0x7ffdd1f74718
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7256 /prefetch:8
  2⤵
  PID:6348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:6460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
  2⤵
  PID:6824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:1
  2⤵
  PID:6832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7616 /prefetch:8
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
  2⤵
  PID:6864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9116 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9044 /prefetch:1
  2⤵
  PID:7120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
  2⤵
  PID:6328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5164
- C:\Users\Admin\Downloads\LDPlayer9_ens_10080_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_10080_ld.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4140
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnplayer.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:6096
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnmultiplayer.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:6396
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnmultiplayerex.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:6728
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM bugreport.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:6312
- - C:\LDPlayer\LDPlayer9\LDPlayer.exe
    "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=10080 -language=en -path="C:\LDPlayer\LDPlayer9\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:436
  - - C:\LDPlayer\LDPlayer9\dnrepairer.exe
      "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=459430
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5304
    - - C:\Windows\SysWOW64\net.exe
        
        "net" start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:916
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Softpub.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:4988
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Wintrust.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5864
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" dssenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" rsaenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" cryptdlg.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:6324
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5068
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1876
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1572
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5064
    - - C:\Windows\SysWOW64\dism.exe
        
        C:\Windows\system32\dism.exe /Online /English /Get-Features
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\FE5D6A1C-76FD-4BB7-88E1-E0A8BBAB2D55\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\FE5D6A1C-76FD-4BB7-88E1-E0A8BBAB2D55\dismhost.exe {17032388-2568-42F6-9091-9DA4B7BACD10}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5932
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:7092
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5852
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmcompute
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1352
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:6436
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
        5⤵
        Loads dropped DLL
        
        PID:6312
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:748
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6172
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6448
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" start Ld9BoxSup
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1072
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6108
  - - C:\LDPlayer\LDPlayer9\driverconfig.exe
      "C:\LDPlayer\LDPlayer9\driverconfig.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3732
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:6484
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
    3⤵
    PID:6708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdd1f746f8,0x7ffdd1f74708,0x7ffdd1f74718
      4⤵
      PID:6080
- - C:\LDPlayer\LDPlayer9\dnplayer.exe
    "C:\LDPlayer\LDPlayer9\\dnplayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SendNotifyMessage
    PID:3084
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1248
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:6076
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4572
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
      4⤵
      Executes dropped EXE
      PID:3628
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
      4⤵
      Executes dropped EXE
      PID:3400
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
      4⤵
      Executes dropped EXE
      PID:448
  - - C:\LDPlayer\LDPlayer9\dnplayer.exe
      "C:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SendNotifyMessage
      PID:4340
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3604
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3244
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmcompute
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4656 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8512 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9064 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9200 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9212 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:6164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8840 /prefetch:1
  2⤵
  PID:6404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15127428520550676074,13644732997919724536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffdc0abcc40,0x7ffdc0abcc4c,0x7ffdc0abcc58
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3488,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3820 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4896,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5048,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,810369034402793990,1691521091929468214,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5508

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x3a0
1⤵
PID:3092

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2104
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:6348
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:7024
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:6288
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1368

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5212
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:6468
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5784
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5532
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCP120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\device.ini

Filesize
91B

MD5
94d32acb6b099c7a87c8aba12546a59b

SHA1
18c98b6ca1f9b4dba44e859e088abace95303ee0

SHA256
29695f4af54d611adb6e12f41c8a23398cbcdfcbdb02d19df40213886ac5b8fb

SHA512
28955fe59441755879f8f98df386947d5eec5bd1b64113d2e1fd04ae6628900b1155d35f810df576d4de6a030b9b1f9bb7a6b1e94a6c5a9f699173bbd3f9af6d

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.2MB

MD5
6ca6b280f663ae36cba09380da45732a

SHA1
ba8a8236248405e079b70e586268187f75f67191

SHA256
acb586bb385c35ae37ce1727d0f032d54a472e521e9947197bd7c0bf023fc394

SHA512
aeda05f386920b897a03f8429727a7cdd02817e4ab6c6de51b0b25b01a1c0e62cd772e40f4c957c3cfd1ba06c499217c398e5b8ca35e076d8e739ee60678d37c

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.6MB

MD5
22ecb3a1881e87d1aac0b5eebc344e3b

SHA1
d3838c6afde16a5142886814d1c257f5b6f32372

SHA256
d538fce490ee03ab69d3f7362172282a311d6bf7037f2fa156fa37a5dbfe3185

SHA512
355b55f3aebc40a4ca0ba4bb7492aeae2ab9e8838e2b4d7212d6f11c0db5db3240244a8fa434791a37b8d6c130df7986f3e265441fac29628a56f962950f4f37

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
e7e90b0a5ca7e0c80d7baa3f18e3e9f0

SHA1
167a7f8a8028ffdc38aa5e2da68244c774426403

SHA256
8df63a6dcdb991f40dccdf1dcd0008b35a33ba4bf67a108dca016610543d730f

SHA512
1eb0a3409337c5460046d3138155e6924dc3fa7abff6f05d9e976ce43d7c66928026f814d19c3eca68f89c040e9bf73f70df4cfa7186716d55607421a5f817ff

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NotoSans-Regular.otf

Filesize
17.4MB

MD5
93b877811441a5ae311762a7cb6fb1e1

SHA1
339e033fd4fbb131c2d9b964354c68cd2cf18bd1

SHA256
b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b

SHA512
7f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4

Download Submit
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\dnresource.rcc

Filesize
5.0MB

MD5
85e3c7e40ab9e6c388340e47f7929bd0

SHA1
6f182153ede12b5886293d9cf44f2fe2646598a1

SHA256
fcc47f1584ba87e2cf2c689072c27d03a901e171c01843cc9451a977b1a1805b

SHA512
95898b4014cbddbf38a9edc2971c6df8d252bb8b51ec62282a8f6819cc0b69b5a19fd27a0123e1360e15a006fefda8fb49600c84b97e1b9f480a753e4562c498

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
954a44aec064119124582f8c746bb9d1

SHA1
f1dfe52a9c640292fa8faa59c5f8c20a49403ea7

SHA256
fe5dbee0f1176ba7c25030a38f701fefd57e7c34c05ad3736105a316bf342d57

SHA512
7b279748fbe9f36ade4f34baa988310c2bf88afb5b61d3ce79102db2b06c909285fb9e76c4fda052bdb9f620faabda251105b0d430862bafd9f9f19d0d68a798

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
723387a3b324d35a5b14f44ec676af09

SHA1
9cdfbd5d014f87142489a852188fbac95e79e2e6

SHA256
bcb9706d826f113328df22eea2d4fd48a7afc300315a6fb6f790cfdc4fadb43d

SHA512
b51edbb33b2ab323a7e766d787d244b2cb21e778e5b73a86604c6a70c52389ae9a674c071d40f776b265c7721c55ade4e467e251f8da6db4a7c0fe604e24656d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
ccc32fcc29d30e4da7af5767a9996fcf

SHA1
3cf0614e89cf6dad6f7623bce203b6b966560548

SHA256
99f2544123482087527df9102075d8f60e5e9cd77dd9677339b9f5fb45d63bc4

SHA512
be30abab00c71bb36bbbcb757e345433a14eb34c745105ca73b2d71e1a5f35bf09ad96d84deda22089aa80a5544fa5ee6f3d4a99d24ccf19c35f5094ee9969e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
1718475a6da185ce4950c473f57798f1

SHA1
f91162896e913a4cc69bb68d447d9ec14bedb9de

SHA256
3614ef3d5218a3d939c8fa6af75bcd320760da1cae67d343be2e225a00be1c84

SHA512
2aa40d8dd2ec7be953a590057db09f300013093903b2e965da7e55ead596a40464158a4fb1c24fb778cf7d407e3bee3c33130ed8066085b38dae8fcf1418bb3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
2436675252f541387e415cca80fa9ff2

SHA1
aa4f18767553bab18c929848063ad583e0f7799e

SHA256
9fb55202daf6259a83407644b4f1b8d33912cf001891973bc746ed06bb3cfbaa

SHA512
e318a691f313a1b4509117053f7c05c7320d2d7685e46be9422102c5de6288824ef15c5e3d701c4cecaabafbaa96e49ad94dee8c2efac648d1ee24af8cfa2f08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
a2d473249a42785712e38a473a00217d

SHA1
f43aa04893af9c8fe1618f63cc57bfeccdeb8c10

SHA256
69f63b9a243f270e11cfd2377d0d4f8539bb3d80ee2e28fdf55d7af1e1dfc364

SHA512
0d113873a59c063e518ecfde1c1d83474ca4e0790b9f114ace2343d61960cf659a4a95352a1d3baa3e3ef746049af8f52cae48193d0b99bbce2c2c1b0d33c5d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
1222a02d55e6a191f2f48a116d056618

SHA1
5dd1fe070d426f6abbf01c5006799c887376a99b

SHA256
625d50f4740d5294bbb731fc29aa71c6d8a14a9ac5d8a2557552e7df3bc5105d

SHA512
fa7e1fadc54e3ddfb1904cc65fcab6cc65ddd084e27eaa46f128e895a8392222512d30344a2d727a8df589927ead0343d311cd72641c2dec5841562417c14737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
adce816924b623ddf8de01a5bc89c3c1

SHA1
a3d0559b3a2be8f25fb5eb0e0911ba20d30e4841

SHA256
1647cb0746e9b354b97bdec4ffe0ec3cd945c062af74d0f008d780bfed2d4d77

SHA512
0ff806158ad5a58444b0da938b7d993bed385f649ab096b6443e693a19946ee41c5bdbe25251600599891a37955eb2eccb50daea19aa5915f99a17188f2416a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c44699684766aee06d08c18a99564b14

SHA1
460c9e869f2a7ba692236562af183236c76480bf

SHA256
42ab057690aaf6a921df3754b0b710dc64d9e6e861474a222eaa1e9f849e1d6c

SHA512
6b52ea30fd2d73f9d19f1e32092d826450bef0c971a5ae979e0d331198cef0c50ec6d07213dfc95ccec72fc729a68c2868c5ca39458bf348b11fc385430cc770

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a53a42ebde8c9787b81520cc30752cba

SHA1
4a6068619bae8bebcdbb532a28f140cebf813f8b

SHA256
d0df2270be100de53f2d39f3faa9b135e89b57c5ee7d91bcabec391970106467

SHA512
762d9c94577e415f0ea59ac1424158e30e91fbb55d6e036e683cc30dae08a8a7f1054272f7454864b69576c8d54f486e508f483dc96d29539854bd914b24657b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e1b894b626ecda488a96ec4dfe42baac

SHA1
2dfa1f3c814156af7cf2f48e091a89348e53c313

SHA256
6707bc18f3d6536d0f3d8cc583ed8055e391e2a37a2710be236c1adb7135413d

SHA512
095f000a081c023013bfb1ae270eee81328b205e9d827a5730e03d1cee4a2296e5dbba67a3313caefbd28dfb0398f166c2eec4f64e5fba233e73d121ed4b550e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d37be2f33125d9c6fb93b39533bd2559

SHA1
3d9bb3b62b161fa2f9de2e493b90676f6ffad69d

SHA256
3bf6dbc9e3b3399cde262d0c92d305a225f000eadac159650e67d3f7a2aae744

SHA512
9ac24d64041b6caebcc953bf9c3f0c2fc5a3ebd68c9f7c842e14dbc7b281d5d643dfb95f407e5896cc9b3d289f63e032fcfa4dc242db59a6350de37dc5df5bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f61e7e6f3e44ff65703b3132fc0d72c7

SHA1
e074df0cca6424412c597cce60da878d092b11d5

SHA256
c39018025691798515b9891b85093616f35a0c2034b9361d78c3d4c9783b9fa8

SHA512
d3d3cd0be8e2cb2e72e78fefd7ff83d8b8aa56203afdd41a55f121375481f3c497971f89eb90baa47fbe08f2fa0aef1b92546c2cae009da79477c0e0f304c34a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c39434108de9c76111c0f0024772cb8a

SHA1
45b43ee70c4f3c3132eefb6747e5d8f7473ba366

SHA256
e27d561a72d0113612e878e7e9f28c04dede5edff7196e8c4dab9797aff0a4ac

SHA512
cb43e40a34a1e19fea3cd9a099bbab84ca84ef7bc477ae15c8825a43292ea31d4e06182732d066c8506bb36f039c6d5b29b5a2a54a2cf12d6b148b31fb3fb184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
71bab89620b4b8537a9171d6d52e4334

SHA1
245b6b78731b334ea4573f207d41e78a96adf2c5

SHA256
de744acf27141835de3d0d1d5e36b927e285f1a34e42ba75e9fdbb4413d56775

SHA512
55bc4b1cf9c06c031f9df68f9d306bc1508d54657a90be08783402cf8acb09a9f6ad6e83eb135f4110934cf371381b5a35b6df26379cc28e112f1383fce21e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9523dc58daa0b9248f975533efffe01d

SHA1
f574189d0f4c61d6386381daf963154d737651c0

SHA256
6a22be2dcfb15cc341aa2b16c9668c43f27e9c50b860ad3a099dbcdf9a479c48

SHA512
91629778d11446e168dafa86d9dbbfe5227192bcc14ad6d808e5f7403f1ce1bf30afd3aac5c9e35298c4430bba1d91d1f08b470df31e0ee6c796f2b047292a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5b0a52dea3d58043025093f7b7d4a19a

SHA1
0821e6c67b46bdf2ca86b8c9d789066874712bfb

SHA256
eab8342ee0d84b9b3caa1b5b6a61e471ab8c9fd747331e17302c0b43848de7eb

SHA512
0a8a5db94b4d3778a7cbf6cbdc209fd9d7d57bce2b9c1145e9e0f25b5b6a3d8d382f598a9abe1ece0c186909b3fb96646880d7faa2d951148c350c6cd2c7a30a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b56fff60f4a179f22c962f4fd6b7a6c

SHA1
9b05191e04952ad797aa30463a7fe8a1e2ec9526

SHA256
0e970ebe35e325a81194e7070c01bf40b22c61ff833cdefb824d56b81a8f8d9c

SHA512
36dd34f1d01916fd965cf607e236139f808abdee036a483bc9b1e4d5441f2c744087a2ab360b359e8a5103708469c65b28041972b8d697d6a21f7c99783e78ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c5d1ec772eac326d8cc06d176839f07

SHA1
4a370aa485122569f26bd67429bf99a87a0645db

SHA256
3b094b77b374aac294b4578ac06439fbe4069f6a52b5582800f3335f1bd7ecd8

SHA512
953d198d1a777095a9d0ae2230ae4476564e6e6c1a51b5ad63bf83f919dc8fc812f8a4c957edf6e3df7549239aaee0308b3cfb9b23773865f678c04c40179795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4996b1335bbb5e47e65d1f046657182e

SHA1
b9a9149c8cfa55cd92e174e42dd4f17c2feca95c

SHA256
a6386c095f6de53468c2dc4220558587892cd61281e1c2172a7c8002d01b8f06

SHA512
ec53e85cc0740301c556c711470f9b256b062df262f0128ab531ffc53d7b96188d8ed523d2625a186fafaac114ccad1bf271300abc0821dc2f4fd3aa3ffef6d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c4c512d14248dce6423a0c2ffa4e938

SHA1
74f301a847b72ad8a5ccd2baa57481068b22d195

SHA256
a16d4b604c037f8744603b1f52b2960acfb0eeafb583909da64d3c6f0029efa2

SHA512
9ee19e71dbc4329ea8a9f5381204f804ef814556a967f0f1da454db1d953154a8a09d2b96a7e49bc435cba550bdf262ab705c22003a141338aeecb35b9dc3490

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec12a433a390309551c782e3fabda659

SHA1
c7b71f82521ef84a06a8a4e6d78e556f78f497ad

SHA256
c13787b9833f75bad36126a08473ed97eb192e175919de877583be5f2c1ab82e

SHA512
2355012b097a33f0f96c950748022980f2c1d6e4a7ff5225b12970c06fe7823dcec62e1c2c2d4556b9ded3517ca437f72b80e7350304c062b4aae4ac956dcf00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9b3cced3f77914b8a65e226eb3a90c7

SHA1
f69a7da1de0dae65b917bdd453c48fca61085f20

SHA256
82ad1460faa494f829c2bc2f010aa125e99cd9800dfb8cda42ae41e5a14bff48

SHA512
c9bd908cdaec3c985bfbd77d2bde6602b16b9be73037c6cbcebb4dc95fdcaa1d3edad7eec9d3aa890d615cda5e5a75119740dd4ef6ead99bdbac6030b8f33352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af92b6fd7e5445c295862553709dde3c

SHA1
45cbfb866e7cbcf2afe78e6e08681a9aa7e70271

SHA256
107ca5d9061f1f0abe256bfc6396c4b4e2514214ed8a31e2d57978befe099028

SHA512
996ab9bea5dbaa53f024b3202b35df703800a4a4b4783246cf92777c01c9dafe6c2721869364c3648d2718699aadeb2e71f05059fa360abfa3249fb299826c3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54adead52595b30131440bdfcae1cc31

SHA1
f7352644b06208d5ca0e111445357a3c4364add6

SHA256
b431f22e8cc910d42d8eae12400202edc006bedf91e06f521435ac7a32c019d0

SHA512
66758c8cdf6bfbb0d18e45058fa4406b0bb68489ea8e9b1bfbbce63a6c740b7cfbeab72f48f9c0f395253d4eb5a8c1caacd43e515e44aa60dbf29307a48f28e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
214d3c719fb2d3f01abba5ab793c86a6

SHA1
6af92f55348f1c4f8f32244700a2ff0a2f564d85

SHA256
cb4c1177b1a9f61377e34545bf781304b0e5a8f75e0aa24019e26a1400e741c3

SHA512
6a995b3085b193c8f698169af482ac1fcfe310980e29c847d74f6ab5f4cf0dd31d8925e1d32d436cb5bff97d96d5b8304deba767c712ae392ae7602f647b5694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db4971726a9ff72150edf1c15e9fadc9

SHA1
f6ebc0fa1b9e931455313fd1f213ef884d824404

SHA256
72be491230b0a4d2df18d51b953352b28eebc5b328c1b587ce920ace03f0e6dd

SHA512
ebc6b5fc216176e552fc3beb98dfde04f5401fb5add9cdef7d8d3c3053f01d74bb4ba549e625e3f8dd3ff226d852ccc1ba38048a84f07fdd0b9748f2ea29a7de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13e412fffa2abdec6961c5559f190510

SHA1
5dfb08f3392d5488621ee97ac7b546266c95c8f6

SHA256
9bd29f3d05ad14714b6eac80780416cbf75cecfcad36a3131812222ddd4e3c01

SHA512
9a6c9bb2e07f3e7976072445070c2f47a17eee33af85477da8653a98f7c57caa95a5a9f89c0cb480b850b3b1047ac144f87ca8c31a01ad4b8476da86920e724c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
16c1c3becc04e36703193ef101fa636b

SHA1
4367f731cb1fd5f325654b5324591b02a9c97d85

SHA256
fbce7e43e3ce1e8704c75d9e17e95cd33012a57b76ef99d4acc3af3ecf4d609a

SHA512
4633a440971dd2cd2135a3de89e4c59d477d10c31e885a8c09afa369224e00eaafd04a515ef71d32881cf442ff840b4fcdb3cb63fedddc4e24a95ca9dfde613c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a930b29e82438c6d8f04f860e8f6882

SHA1
931717037bc89dcacbfa5051dc2677b90d0c3e50

SHA256
3ee945c9a52926987cd63f407781aa68e9181696939f601bf9e558e07e722756

SHA512
0e23f1ea93b1d5b7801028f96b4435b90a7ddd12eb12f60638148f392f85c6ba6e4c073cd8d1981d404cb05084724bd8b3406735a3ac5191c256291a5586d6a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3bd1ae371dbd2612bf32cb34e5bc3a96

SHA1
1be04363a16a2a42734821328428e40be62a4d68

SHA256
dbbd7488ce97ece446439fd4dced9e083c2138b129d1937b05957975c194e6ed

SHA512
20aa34559024b4d1362ebda276c017b4c40a376d7167b7f2669489952ff5c0cd0c33e02f89107d1d7b515680cef6939c3106751db5b6c002071bcf9213992a0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
35230863efced68878b3b575e2b025e6

SHA1
3a79e80466811326eafcbd54518dd50a452937ae

SHA256
93cfa8f4293408062141bb38878915c3fcb35dd959700af22e22de402efaf849

SHA512
13f457feab414a1ab102f00b7a2e7d0a6c2ba36ea262bc230e8e218023c893bdcbccf1409f5c86c7f2586637b9ffa81cb99d0b599003918229a44951f1b58618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d59cfe1965542645ec8209c880634af

SHA1
7629686f5b202060a2aed1e48d474a73f344e72f

SHA256
68a3b359438dac0cc99734486e7efdf18c39ba754003e15e556b806d7c535b8f

SHA512
9698138d89b6c41bff5d10cab6a0725826a5faaf19361eea3b23960233290678f3dda909cdbadff87b580cbe652a391be4ed9f0a87209ced91742750c8c67f26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b1f7b19661793511770cf25ae3ac5cd

SHA1
19e1db2919c75c53ae9f94dd00009a82fb5ee0a2

SHA256
86009c78d588727c2df12c89b196081a1ed6d36f4b4abc0f16a7a02f5d121726

SHA512
681e143eb6f59b2a64ec7a10e8e2a8eec0d1f938e24899476adc7106d2320e7f979834394902c886dfcba09b3d6c6af1a81f4efb79972b97837743edf7936a82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0cc5a68fafbabe200b4e4ce20562746

SHA1
ffa8de2f13fdb129327a7ea06d74eb8392172576

SHA256
d1f64d8a05ea697de41787e41162012877ba8fc0ba1c67f7f4cb2374ec225e6a

SHA512
ecf3c7809aca40961bfb72ebf887e23cc821b9a694b1cb07e024ea31e2f450df563f02b3ea9ec35d4983e8fd26d5ae9b1262bddb88e4dab762c054bd1b7d9955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
162b1564ab01d160058036e7d3a23670

SHA1
cc9e70e8f84dc291b81c89c4101bd84eaa69a25f

SHA256
7ea0c7c1c381326c42f739aa34fcec3ad091e5601be49067a993671e2ca9d541

SHA512
9f8e38d44e7ede8b1a1479c1c4f3cdbc1cc0e10f60a93dd9feb353f6f90aa569f50d1940a5639aa61ecd4a9dd2509a80f340596df0ac5902d1f4165ab9cd6ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d02edb9d5ba160efbe1cee63f1f9652

SHA1
db95fcfc11209d7b4d74f6c26b66be932d246f37

SHA256
57574a0b10e5f4f3c539cbc0655f5ee95a7ba826f78ce26c64ccad69a62fa267

SHA512
d6f91bbad2ce4db278345b7400091e338ddcd28deed645eee6bf575da073d3d7d0466ecdb677d5f0c39904de8fbbbd5b765e231aed9b325c9bff135a4d1cf254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
746871855a287164755d82c8e2f45c55

SHA1
4484206d2147d99b8518471c489fd74b5d574230

SHA256
2f383c217c1bf38b4cb57dacd41747871541c0b1c1f81a1dcee53ddc2b32ca21

SHA512
30d51adbd4be6b1853f5179a45736e8a2b09905953e3b03f5d98ca6d273fff63afa505b689a38df05f1efdf6c464d5380c168c73aa7c8da33ce1524a0ad5519d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
275e3d6b12869b768134867374f1d4b2

SHA1
7345dc69327617a78c5899d102a8631d19558027

SHA256
23ae73136fcdd93e5dfb8795105a1cfd49062d33f644ac0ff6152723b7070adf

SHA512
39989013e7ff5b3a51e5a53ed8e3ffb061a1df1743137bbb5ba80a4d82d81e213e9256a3dfb2e4f41e4c27e0d0a63a60e1833609ebbf55a4092f486bf6160813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bdf7e5fbcf9bc70cc66f14dd299c485d

SHA1
b5335b1e0e8d7671cd67c810b2bce7c55c893234

SHA256
1ac502dfa3e296f8118686442ba80b5b974ab005a37638adc4a56c72813e5f80

SHA512
c0b6ff463ecbb50b6eb9073d2db5ba4f719fff76d7c03b8998868180cd904249503f1c739f10781d3ed6f17defe307b3a3ef11ccf902976797a916f17827a32d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
544a18c7331cd1a876daa105d8243126

SHA1
b03af1d28e135ddd33575c6f2a21cc913cec1cb7

SHA256
891b3b62876d4e6e3de9705a46a22c312b36a8553ada2ab92f4631a9127613f8

SHA512
4356261c51fb4153308bbca63842e5d524ceb3660f1e438f81408947f18c298c4f06a5a04a7bcd9ca2dc6b55e19ec1fb03eeca74d6b56f2562edb18638128bd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
c259c275faa4347945f744d560763987

SHA1
0add1e0c7825c04a68ecaeea2eda99f0cc50c618

SHA256
e5b539a6e6e6b97846afe0cdaa8c826f0ea86fb83d8a86132f6c0b97a16c2ea5

SHA512
0f1402599cb88ec477835e202de1dbab5a776a0d275670d720dc9e1b49562de1fe198fe50e081d28ebe69cee9ef62dc0a9ac544fc718d2b6966701d0fcfc1652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
d12bd28df5a1961ff4e73bc28c3d6e43

SHA1
c3d74433f237f4608e9692a2bca7a25ec1114b99

SHA256
cdf1001b3c74a3d1535e233a93e74795676d4402a7270555a9c4d65fceba55ba

SHA512
7edfb99fbc0d06663b551c7e4e095e8d7f79462b0bd31205a6f64a425c75d0feff2b4e6a21a9aeccb2ab4e7d94fc8ef154a35e1113f4be958fedc684542a9e7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
e72d7066285653b1e91d2dbbac13130a

SHA1
ee0286d7d206a91bb1744194a6ce0a16c0e0a2d5

SHA256
9d2648dec7a5cdc3e5595fee06390af34b97518437b64cfb07e020979e7ff21f

SHA512
f1a9e71b645673662bfccfe08f16299da2b33e9851e01cf42434deca98db4d2511a07fbf44e96ac3bfcf2b588432d0c42de9cd1c59edc817aa2a2f913c5490a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
2af20b63829ad677ece57584356174c3

SHA1
2ffdcac7d16399d0e5c0a496044ae7cb4284bebf

SHA256
fa3738bae1fc3f00f27baf8fce7b8271972b4804642093bd8eb73dbffd05a451

SHA512
f81a778d8de668ce0dbd930e2e0247d4cea000d54e22a9bd210510017063376b513ce0e9758513d5e0c8a5d83a9c8225b52a5bfd3d40160f1361010e5eacfcc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
30KB

MD5
6fb26b39d8dcf2f09ef8aebb8a5ffe23

SHA1
578cac24c947a6d24bc05a6aa305756dd70e9ac3

SHA256
774379647c0a6db04a0c2662be757a730c20f13b4c03fe0b12d43c0f09e7a059

SHA512
c40f4771c10add1b20efb81ee3b61fc5ede4701587f29a1c2cdde8b6faabd1c76d769bf8b99aa19082012f95d99ba448a472463fb9056acd2e43542e14e605cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
20KB

MD5
9aff2c561d38013551686036582d6468

SHA1
f88c6657b2e1fcd9185a7da18f26aa06268851b3

SHA256
d8b15daf1c17ee510b7c0d83ac412ad1b20a044536764cd16d22b78a8c29e827

SHA512
89f4dca622efcc60f4cb3f9744b7c8fd0684916066f912c69a0d5cc669574cb0b4c0e5fc1e358033f4d518a70e1b80eefdf1e0c5c191c9adbcfdde6cca25414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
25KB

MD5
05e9679509b61424a07cc4d4efb7247f

SHA1
db4fcfac1d89c7e4f0bdbea9023034b64a9dbd81

SHA256
31798b2630a882be758010dfa51b12026c8fd81f0e4068b38fd739cac78cba0b

SHA512
1cbe7343e19b41f3f116a93d598d7b67779d29c6bc0a7b086d112dfcc76fee60811290b67b5d2561751700be483f6cd460b9b4c8325397813314ba064e4c2208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
48KB

MD5
da948371d63bac0deecf54376b1f7380

SHA1
afcdf9eaa74cad071d44bceedcaed24789ba37b2

SHA256
5fb1f20319ce41d31b6c502def24be697877cdf34646e45cfb7631ab2c783e73

SHA512
94202e9aeab53c0c5707df70f96619d55ca010da94551760673adbd2cd70a3680cd4c0d605fb8c71f842bcfbde6bca45d84b798c332849204104dada363b2d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
cd747d2c685dd75f1f328348f1bf1e35

SHA1
b04608633b5f6a174e41896834bcb3b3ea98cb8f

SHA256
e00037bd8e0b6a08c39f4e55fa94fdcc164d43583124d16c94022f074a75c70e

SHA512
33355671e68699b1ed78bd4a97cc4815071ebc0bef80085e6f90147c3d6ea569433b3b107650fc922360001a0d60ee04d5975bf5356584d51067b12ddb7be6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
d7cc1fa33dd43bcd18250089aa7ce0ed

SHA1
f3e13365bcc6a37887729c2328eb574bcd59317f

SHA256
3347b7d86353066c63e9563c454c5c61874b35455a0ea145a2094cd6312e76d4

SHA512
e3a0d9cba320317741b3896cfc0d650677884829df26e268155d86e4c58eb03d85ba6c87dd083561c38f811af75835545b9d0164c5e5743df3c6331ec7146ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9038249b991c156427ff0f97d5c55a47

SHA1
41fb2ee951625dc89db7e2850de9b6bb686d86df

SHA256
2539907b3290126380e9422a67b9e8dfa30b9acce064aa5699f3326a4a1f5a71

SHA512
fb9f38529513610c97dcf0eb16df347193562e575f8d4a180279489777d44e1a4168ce52f8d6e72576c80424df6e102abc3c597de0478c1c9cdf3a85b44a2d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
5f42e95b03c5790ef8db4e75770c7e08

SHA1
5f7c45c72ab34ceb19c26249973fa6591bfcb3f4

SHA256
11426e10553958e7236ddc9af3388ad504a3a75450e2d40aaa65947adb9f31ab

SHA512
8289f5acd761413a7fa3496a3a2cdfabaa647a20b590ab5b2e28e074d13bbaff2c63f0f3d6e6967e7c772979b0f756f1c1371825d842b059a71a8e7ca8a6792b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7024229cd5fac6faf21ac82e44930474

SHA1
bccb33cc0465093c9d588a9ec17f265f88c71245

SHA256
0c591fb5ab173f0c73be3eca426c292f813888f258154de982a53089d454a25e

SHA512
d7b094cc9c45569feb8cd4fe60c2929243482c3b100ba3e59c9fb08d4b6a9ef5593d8a419d5e24e4f176d46689d471dc26c84270ed1bc83c9a432c5b02f5ee33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
892713d871a7a09dc2c359a3aac2c00f

SHA1
037b973ede4597b2a27868341cf3a5fb83be25bb

SHA256
bc243ba9ea9a103d354ec493734376ffdcd31f7d4b15cf038e6765edab70409c

SHA512
6b0903b579a1160f9a5cadb4a181759729054f18bea7dcca48812678db2b70922ce7ab9ecff7fbccdb60e41a90d53c1fef6f1009a55d5ccb4f58fa60ee1942eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
be5c035e8bc0e7dfd9ea5d68723d5f4b

SHA1
c7d9ab8190dc697fedcb3aaf83bc66fa636065fd

SHA256
a4d84c17dc5ab1408ba3cbf8d186b7655b6c8a349b4f803f359f40d91f2049d8

SHA512
a0c96ca66107e8883528850c8408545e3bae3c5ed36bb5f02e93647a8cb19bcfeb41dac126d9c181c850f40addd9b75ea479d89b3d38e2f99db7e41e3a3bb6ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
e321f640d7c92e25c5f9c826499a2749

SHA1
ff5aff2d36547777866699c07166505278e611ca

SHA256
79d829faba3fbc3f7240a260fbefb4278b4f9c9d38df459634d183444731fdba

SHA512
b5f00bf669d054c1dc1e60e9f4e9f5e7a44f5621177ced6c75aa9fcde34120dfefb701d154e03fec2cbb3202902f0cf7c92fbda7704bbdf028093c96c93f4398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
4eede5d244314c2c1da4e67c0aa34019

SHA1
ea273924d0ad6275c4d9143737bfb3b726b84a39

SHA256
a74c2e3d1612325876decd646c8d6522436fd9d1d1932b054acc2e22e00ace23

SHA512
f11b13ef57d0671921a62300719c3aae9e90d31a099fb2f4a07f8673c992dafd06fcc7d323fce90b7544c6692b4aca1e47f71dd7e144fcf408943b2c1578f0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
87185bf3499a92dd50d2ca7b61e043da

SHA1
4e448967d238e297f4b7fcba58984fca6c7a6369

SHA256
b3b094fc5d4b5baf65b34e4e1f3cb0f87b7cbd0dc818f58b98ba45b8db14ad26

SHA512
04a6c0d4542cd4a1645d3acc88ae9364699981baf484197d36ec214724d0508eab5e02a3026e97f9ea46db3c00f1ae678b7dbfab774a4e248a80df3e04e9145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
20370a47be439c7bcb7c4ff8292b9ef1

SHA1
f031f4e36380cebd9e82affa892a29c420ae8c97

SHA256
78c294d91ab761f9ca4fe5c7fc2e4f65cd062218650a31d92ecb7a743d5e15e1

SHA512
9894a01bf9e26a40e734a2bd8ef332e2e340c4c220a6eccfbab2683d6c9cda785ec4feff13c476e71d63f07755a63d97fd57d4bf4303f2d0218db9cbd4f024bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e0ff6871cd828b7c95c12230a142991b

SHA1
b338d19922a21c074833dc7e26c1bf82887fb45a

SHA256
42edebd14392ba986af569cddf96aa47f7ce527083f99e6924cd6467a7105be0

SHA512
793146e1891808d4343921bfa249732c05095ef298bf3dfc9a195c36c590250dc64c3c6562b7e1a5c4402891cf493da54958d787fbc4c618ff1ac1b4ed6748e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5c6e3fccbb0866ebacedee95e397d783

SHA1
f824936c2ba47c4880f722d1ee03273bee8c39b6

SHA256
b0187e9740d022f1d90849343930ddc3259f4a8547dd25b1400106dc41904bcd

SHA512
62d8a354e18f3e99569c0fc394616ff0e017eabed6a2bcd4a134670cd63efa74dd13b28915808365aa3943c711b0add4e030b3a506b19358b34d6cead0165ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
949efc203809ffead9b214724beeda4b

SHA1
7045d0cab25f43ec64ef53e084e10fb0569e430a

SHA256
0d59536d7fd53fdd30d1fec4d1d68e08b64ae1a978bb1c74c99268a1e006096e

SHA512
f721c33ab525b5c74921c2513c76da37e2c80737c37568be884b03eaa91d14746c3a8f0618425b1fe20aae16e87c8d13dc35f70689b2975f250044017ce3bdba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
593c36368744cfa2abe27ad6390677b1

SHA1
a66bf76e0d63a32af8f932e7b25a53a6d9850b45

SHA256
d82cadf8b022da5203c6d6a20205264826f070c57fc7c521a3f7839c6db13b3c

SHA512
803368524b9f72fbcd614aa20dae726210acf30e62c0e1c2d99adebcf4bdfa93285b71c6b4f2859bd064bcf933f42316a9a637c54320d87855dd0f5195fa60c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4762e2255cf0e8f50b4991c0b5d47621

SHA1
e24ff466058bb3641fa73eab29ca79c8b7af6a19

SHA256
73f9023501db2cdf9ee158135c8147121405ad5256949c72735ec1deb2b89499

SHA512
42fa94f14a826deeb804d8731961ba5b3db36d70ad433f1fcdc9a71b0bb1ca8aa4b3760391bfe8e0e2f3b3956295a05c562d106a0923572670f82ef813c49fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
09db41a9c7bd15cde96fb8ef88c3f891

SHA1
cca6f631d6759777e2fc86f2c92aef2a53bd2773

SHA256
e657fc4b7b223c799eebc67838495e91aeb443632a26b77513fd5e27de31a7e9

SHA512
f681fbbec723da31ae290f412c49dcc73f02acab1eb32c5c08af39012eee3213aeb92ebf30b881fdae1fd6860faa6ab1f0dd9420e67e5eaf05274755c10e506e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
ae81e69f57c39a11439c93ab9aaa8a37

SHA1
6a363f573addbc244cc1875e6069749d3c6f122a

SHA256
b8cbb214e7fbe624ed7a3e14bb1d0a9f8a538bdc0092106542d186c5227bdf0e

SHA512
c39a90a48f4e8cd35df86ad79b63a5d7524ed2ca13299e069614adef9343ad9bff21e640d39fee6684c20ba889fee53928c41dd92ed32111d462bc43019f2b72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dda4ed6a15e4efc65fca4fbd1d93ad7a

SHA1
50b96f31d589e4363999b83afd4cd7df8491086d

SHA256
e353d2214ed4af8d77f2c0b76eaed3a1f6c2e592c133538c12cff1fd1b12f3e0

SHA512
7c7cb842a83b84b6ac93865e0c4ffa335392d438b448eaf364703d9aee850e51d1aa45eb79f12dceb586f858a1b3073234468638c824617ed2fd252a2b883269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
697B

MD5
4d343468ae7ea015ddc8e5deaa55d7f7

SHA1
1e7ea2e2c9f28cf518a3c07de7e87f1a1f9b7d6e

SHA256
cc3880bec7ab6439ff9b657c4c37e47986d87b59f078086f5b23220246734266

SHA512
19c6e73785d053b97e1b24c90ee53c15bb6d9727c7767819be08f92b7f535e49df5dcd17a2e4ead0c4a24c3d8e919b7ecf0bc6d819566bd475701e72e6e77323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
7d125154ae40c5f25f4756664d82f051

SHA1
e393b899d168c3d25e214cad7f99202a1eff8719

SHA256
4b6e846e2402eb0fffd92cdadc4c2e9947ded5788244811bd22c76e06a8fa483

SHA512
059f4d313c45a24d5d944ef738c9bdb12d8a559061d74007c09ab1afdd9ffe1b3756cadac5368d3fcc82c520b5e37da9e43067889ac9aa33b872195a5df1ea70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2659df5d564311849272bf52b7489fea

SHA1
c424a5659afe63bcd57de51bbbc886c6a3223353

SHA256
80c0f91864894eb592d49cac94b3bad9bf352fcd19cac05a9f9ba5dfbf8a7b30

SHA512
7e4fa7af3c68b87cdf4334b8daa46193d3a35a8afa108f0d743271db7cd509460370b76c917ea3ff9c22f814ffb1134ccac830f1e4c6e84774f2f75db6d96672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6bf8677c27399b6a134400636eee0759

SHA1
d23f85da4e23f257598e82aef23a30d0598f3931

SHA256
ca900a544e8d95e632507b275d40facded4becd29a8d7341784871458c3cce56

SHA512
9f11e56819e70f7f072e4334e239d921c8090529d22e343482958fb1f24432e11ae2d788c599d1b064c604e32eaa5a4f991d689f8f808489cab9ea683ab1a278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
699fd33c2e6a0089ccb8b3dba2adc17a

SHA1
387685242d8a3538fcae927efad1e08c063532e9

SHA256
d8db295f1bdbce114a29ad2d58d887696667bb8678b789b023a01913030a84cd

SHA512
7f4d635d0fd1807a8054f3e62c763f50f5a575176c25a887b0cebc0f2f799c3aa93b2cdefaafb10cbed104bbf278b332524f4dfb197df4638e063029d77e6614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
fe9c429a2ca21b1e2a57da4049d9017a

SHA1
65823349df962a988c60875527dc239719ce7a8f

SHA256
f313dd81a74600ca446d0106cc016365fab7a49dfda3488a57c9438b23ba8f54

SHA512
573db780ba6a67f6980410b33707d535e53b54ec7af5a1ff69e310f252fd10524725799a5ae056ec5f932afca860f7414db453ac63f02c80128a4c184a28925e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
efe355f7f03ac06ced60362b3f5c2019

SHA1
ec49c9e715619cd6560fcf3ec4f68b2fd82b332f

SHA256
9d9fc912a9e869aecdd8a461997233d5719130ea50e7862ac4fb74a796c1d22d

SHA512
ed9d52765c60b00752242ab0fb38bc53b075db47339ad1417bc9fc3f9859e8213f8cf272e7f66f5a8ab98d8e307cff2f99ca28100b5fb6d1b0ca6f1a66d1995d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6a95a389836470f825d660769f02afac

SHA1
778bf99be916f27c5a77a67473a2b626fa5b972a

SHA256
e4176a4482ab89ecf5558afc16218ffd5bc91f6b91e6de9f0f4344078b3d76c1

SHA512
a88a571b1e9c72f52e4b9c849d9ad713171f1a35144ff42a97d1a00e6c64384875032c631abc9c2e3a49f1e72d22dde8ed880b16cd535860188775a790852aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e5af11cb0e4698b0b1fb4cd38701c647

SHA1
1453ff7c8efc6a6e7f695cccc519a97fb4eaed12

SHA256
71ebaadb11f8ad39a549cee31d3bcca4f134d00606a6cc6d06507254ccd9f806

SHA512
3f645cd8c9664b35ff96bd49bc226db9ced4ef86b55c2833d3413405c9af89a254d0d899ce0413a909277854e2503eb6cc323e24e53da90c052ac5a8fbabf6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3bb68c9a596bfd8857724395c2fad237

SHA1
a83d3b9dcf56dcada8ba9b7958b09befd65e0244

SHA256
12f8d7381b8a203877051c4c5b48a043b0344797c606f98b505e4e43aee400fc

SHA512
60c00422f2952a5f45866007a7ae75d312aef964d9e0b4a9728700e440749dddbac81174d4f39c8430e3956aeba31a542acf1bd445c543b9f62cfd90dc0297dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
cdf433e9236eff15e76d1e58e1d966e6

SHA1
a3ad5016ea801c2add0dfab947de2d6440fc205e

SHA256
e57572602e7cbef476113e0350518e66cb4e6c8fdefd25a63eff34d89a64be87

SHA512
506b0001557232f80fbf245e34e8e78aef5e26855bbffe1bac7f0c6c7d8a3722aa92a3d59e5e4ec920583c901322906bc1b94c5317106553097915efe71cbcf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
0e2773ce72f1b5cd429bb038abde3d9a

SHA1
635d802e7b8cc0c42447885e3a7282a4de49b8b9

SHA256
2747b7468f5b267cdb00993140dc971d7775e82d834ef6fbc5f99a2da3dfc3b1

SHA512
56b590b49c8ff534edddd5712d286a8f0ff0edf4bdd05ac02a88727aa11ec9fb00f31fc222acbb55b1c0cdb3d05a26cf198cbca1ad75963b8cb0ec63a782ef93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5832b3.TMP

Filesize
532B

MD5
02275ea13265db01a0a3c7c5deadad1b

SHA1
4cf59c33258c0127dddca0b18075ba573d7ef1da

SHA256
87b2dfd11d6602d698545bb3d90a7501ebf2d6141a2c96a97d106da125858b86

SHA512
e2852058c185ba1d2434c1408fd45b9cd813cdf1b0e6f5ff92453315dab11a0229690cb59162edcfd393d2518fc5b2ba88599c08331683b9465ae3b59552868f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5452e90cc72509069e81c04bbe9e3dc3

SHA1
c99144904cc1b04a5cde31e2254d171810fae8b7

SHA256
dcc2663f2ab0a5a26b81ed925ae1b5cda89e0c80dd87c9900ccca28f5eb3a367

SHA512
7cc8c70ab7d7d005d39923c847fed13f7678cc3f0ab2d3c1368593ddd396804f87079b3baf1e80f2c13973072051c617ea6d368317c6fff1ebbedc9557a70d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
193db4d6ad58e94632762cf81096d27d

SHA1
97848a0ecf983fb327bc8bbad750de6a4644b75f

SHA256
300cae5e30415f9b9e8874db748b011bca395afb3f92385fd56b2f2be48b1964

SHA512
c7f1658efefcb5bee090807e97808dc90a72eb30745903b43de6043354c2ea67856abe3c3df844d4b0e87e7932e5779e51a1922ee32f2611398c4ad278a4699a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7041bd958c96004f4f13f97092bf0b0d

SHA1
12fe6ff6a23130377beefa42b0161944f95a2f5b

SHA256
4dbb7344565c09198ebdeaa942a4c485f2e2872c1805e2d625ab749fd5b08abb

SHA512
a9e5de43fc379c53256f17b7b5612e7a75c74061210574eb6917a09edf42e19ece7108e6724df7a4651665e57698ea2e3c0c2d6a1508881d38c3e6520d26a321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4a08f92aafb71b3357170b3ca2f9e9b1

SHA1
06a95bfcdf856ac57828f67db3ceea5c137be7c9

SHA256
13e2edeb8820b8b2d1eb727270e759514882ba75d92c42176f98a39b96f9710b

SHA512
e1872263c841f0475094805f5ccff85145c168fe338213aec3480a92f492b4bac49158589c1c4bf37e6d95bf4119e6fb256aed5def995b831d56a4cf731c2f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
53a575e4b6ff89501916315d9a21a0e1

SHA1
3a4a98dfcd44fedbd725d3b36096e8dd16a23a19

SHA256
9461aee758b59fdb5410fd0c0bad5ffc7c1bb7f522d642e626bf8d26e8dc7081

SHA512
894d3009b4da8b2f9b035c4d23b3e4ea1615f4f589078fdd9e3fc8c21cb261f997241ab4dc596b34f71d05a8e4d7de37de8bdd1c571497e539f6a6678a98af36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
79KB

MD5
d9cb0b4a66458d85470ccf9b3575c0e7

SHA1
1572092be5489725cffbabe2f59eba094ee1d8a1

SHA256
6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05

SHA512
94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjory2wf.v3u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
73KB

MD5
b7d668191f946ee108e7e1e71ea71776

SHA1
9f020d69b2bc828a6bf7cc5f4c7050a254d17464

SHA256
085bcc47aef41d67bcef760efd34846c8b39ed0530ea7e83f71fe02f864544c1

SHA512
e4090561859426f6fd79e7650db81f20642d9639ab58106a4fe9e36081778af5e444fe4156209695beacdcb09e79b0ee36b0f1bdf699e4711cbc14683295da30

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 929600.crdownload

Filesize
3.4MB

MD5
9f9bbd12ae5894046810e6736ec4d892

SHA1
9e81b764a40ec39f6667c54b8d40da0b97cb5a7f

SHA256
8d48d0a05d581922a4d30ba98cbf51ea981a37c95fad689e0b84b979e312f6a4

SHA512
57d5b59de422394856e15b2d65c1f2a9e85a1b012c954ecad98682a84c7f90ff00be91819c8ae9cd123270e2cf446d69bfb248bde471a29846d57bf401417eaa

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
276KB

MD5
0d3d9123958c3651d44b4fa85cb8ed53

SHA1
7a08db20a780eb6690fc4fa958bc1eea20e6d2ae

SHA256
f590d07eae0df2ca477073ff660cd9f57d7a24eaa81902003370e06264150739

SHA512
e2ee2712e92db8cff0ba5e716fc18f2c743e958a1f5354c1145e02c3de1a89c81f2e9abe54f70a1c3e04e750535eef2e82d0393952c2257e564e0f5817fff249

Download Submit
memory/2984-2139-0x000000006DD00000-0x000000006DD4C000-memory.dmp

Filesize
304KB

Download
memory/3084-2708-0x0000000035650000-0x0000000035660000-memory.dmp

Filesize
64KB

Download
memory/3084-2633-0x000000006C050000-0x000000006DA4B000-memory.dmp

Filesize
26.0MB

Download
memory/3084-2632-0x000000006BAA0000-0x000000006C046000-memory.dmp

Filesize
5.6MB

Download
memory/3084-2629-0x000000006BA20000-0x000000006BA9E000-memory.dmp

Filesize
504KB

Download
memory/3084-2902-0x000000006B9A0000-0x000000006BA1A000-memory.dmp

Filesize
488KB

Download
memory/3084-2903-0x000000006B940000-0x000000006B999000-memory.dmp

Filesize
356KB

Download
memory/3084-2901-0x000000006BA20000-0x000000006BA9E000-memory.dmp

Filesize
504KB

Download
memory/3084-2904-0x000000006BAA0000-0x000000006C046000-memory.dmp

Filesize
5.6MB

Download
memory/3084-2630-0x000000006B9A0000-0x000000006BA1A000-memory.dmp

Filesize
488KB

Download
memory/3084-2905-0x000000006C050000-0x000000006DA4B000-memory.dmp

Filesize
26.0MB

Download
memory/3084-2519-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/3084-2631-0x000000006B940000-0x000000006B999000-memory.dmp

Filesize
356KB

Download
memory/4140-1054-0x000000000C330000-0x000000000C362000-memory.dmp

Filesize
200KB

Download
memory/4140-1057-0x000000000C3C0000-0x000000000C3DA000-memory.dmp

Filesize
104KB

Download
memory/4140-1020-0x000000000AC10000-0x000000000AC54000-memory.dmp

Filesize
272KB

Download
memory/4140-1022-0x000000000ACF0000-0x000000000AD8C000-memory.dmp

Filesize
624KB

Download
memory/4140-1025-0x000000000AD90000-0x000000000ADF6000-memory.dmp

Filesize
408KB

Download
memory/4140-1027-0x000000000B330000-0x000000000B85C000-memory.dmp

Filesize
5.2MB

Download
memory/4140-1051-0x000000000BA30000-0x000000000BA4A000-memory.dmp

Filesize
104KB

Download
memory/4140-1050-0x000000000C1F0000-0x000000000C2A2000-memory.dmp

Filesize
712KB

Download
memory/4140-1007-0x000000000A2A0000-0x000000000A844000-memory.dmp

Filesize
5.6MB

Download
memory/4140-996-0x0000000072BD0000-0x0000000072BE6000-memory.dmp

Filesize
88KB

Download
memory/4140-1046-0x000000000B210000-0x000000000B21A000-memory.dmp

Filesize
40KB

Download
memory/4140-1049-0x000000000B230000-0x000000000B280000-memory.dmp

Filesize
320KB

Download
memory/4140-995-0x0000000009AD0000-0x0000000009AE6000-memory.dmp

Filesize
88KB

Download
memory/4140-1052-0x000000000C1A0000-0x000000000C1B2000-memory.dmp

Filesize
72KB

Download
memory/4140-1055-0x000000000C3E0000-0x000000000C446000-memory.dmp

Filesize
408KB

Download
memory/4140-1056-0x000000000C370000-0x000000000C38E000-memory.dmp

Filesize
120KB

Download
memory/4140-1008-0x0000000009BF0000-0x0000000009C82000-memory.dmp

Filesize
584KB

Download
memory/4140-1053-0x000000000C2D0000-0x000000000C2F0000-memory.dmp

Filesize
128KB

Download
memory/4340-2932-0x0000000035650000-0x0000000035660000-memory.dmp

Filesize
64KB

Download
memory/4340-2951-0x000000006C050000-0x000000006DA4B000-memory.dmp

Filesize
26.0MB

Download
memory/4340-2954-0x000000006B9A0000-0x000000006BA1A000-memory.dmp

Filesize
488KB

Download
memory/4340-2952-0x000000006BAA0000-0x000000006C046000-memory.dmp

Filesize
5.6MB

Download
memory/4340-2953-0x000000006BA20000-0x000000006BA9E000-memory.dmp

Filesize
504KB

Download
memory/4340-2955-0x000000006B940000-0x000000006B999000-memory.dmp

Filesize
356KB

Download
memory/4340-2898-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/4856-1119-0x00007FFDDD860000-0x00007FFDDD872000-memory.dmp

Filesize
72KB

Download
memory/4856-1118-0x00007FFDDDE60000-0x00007FFDDDE87000-memory.dmp

Filesize
156KB

Download
memory/5916-2114-0x0000000006DA0000-0x0000000006E43000-memory.dmp

Filesize
652KB

Download
memory/5916-2101-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/5916-2115-0x0000000007550000-0x0000000007BCA000-memory.dmp

Filesize
6.5MB

Download
memory/5916-2138-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/5916-2113-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/5916-2103-0x000000006DD00000-0x000000006DD4C000-memory.dmp

Filesize
304KB

Download
memory/5916-2099-0x0000000005590000-0x00000000058E4000-memory.dmp

Filesize
3.3MB

Download
memory/5916-2087-0x0000000002260000-0x0000000002296000-memory.dmp

Filesize
216KB

Download
memory/5916-2102-0x0000000006B60000-0x0000000006B92000-memory.dmp

Filesize
200KB

Download
memory/5916-2116-0x0000000006F20000-0x0000000006F2A000-memory.dmp

Filesize
40KB

Download
memory/5916-2088-0x0000000004D80000-0x00000000053A8000-memory.dmp

Filesize
6.2MB

Download
memory/5916-2135-0x0000000007130000-0x00000000071C6000-memory.dmp

Filesize
600KB

Download
memory/5916-2089-0x00000000053E0000-0x0000000005402000-memory.dmp

Filesize
136KB

Download
memory/5916-2100-0x0000000005B70000-0x0000000005B8E000-memory.dmp

Filesize
120KB

Download
memory/5916-2137-0x00000000070F0000-0x00000000070FE000-memory.dmp

Filesize
56KB

Download
memory/5916-2136-0x0000000006EB0000-0x0000000006EC1000-memory.dmp

Filesize
68KB

Download
memory/6108-2170-0x000000006DD00000-0x000000006DD4C000-memory.dmp

Filesize
304KB

Download