hxxps://www[.]ldplayer[.]net/apps/samsung-galaxy-a14-on-pc[.]html

Analysis

max time kernel
271s
max time network
277s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10/08/2024, 02:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.ldplayer.net/apps/samsung-galaxy-a14-on-pc.html

Score

8^/10

defense_evasion discovery execution exploit persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\FuncName = "WVTAsn1IntentToSealAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15\FuncName = "WVTAsn1SpcPeImageDataEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003\FuncName = "WVTAsn1SpcIndirectDataContentEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
2640	icacls.exe
2744	takeown.exe
1868	icacls.exe
5424	takeown.exe
5412	icacls.exe
3856	takeown.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 16 IoCs

pid	Process
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
5400	LDPlayer.exe
4908	dnrepairer.exe
4308	dismhost.exe
2200	Ld9BoxSVC.exe
2424	driverconfig.exe
5172	dnplayer.exe
5012	Ld9BoxSVC.exe
820	vbox-img.exe
3148	vbox-img.exe
1724	vbox-img.exe
4880	Ld9BoxHeadless.exe
1252	Ld9BoxHeadless.exe
2796	Ld9BoxHeadless.exe
5288	Ld9BoxHeadless.exe
2672	Ld9BoxHeadless.exe

Loads dropped DLL 64 IoCs

pid	Process
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
4908	dnrepairer.exe
4908	dnrepairer.exe
4908	dnrepairer.exe
4908	dnrepairer.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
4308	dismhost.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
2200	Ld9BoxSVC.exe
5704	regsvr32.exe
5704	regsvr32.exe
5704	regsvr32.exe
5704	regsvr32.exe
5704	regsvr32.exe
5704	regsvr32.exe
5704	regsvr32.exe
5704	regsvr32.exe
5704	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
2792	regsvr32.exe
1388	regsvr32.exe
1388	regsvr32.exe
1388	regsvr32.exe
1388	regsvr32.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2640	icacls.exe
2744	takeown.exe
1868	icacls.exe
5424	takeown.exe
5412	icacls.exe
3856	takeown.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
423	discord.com
529	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\VBoxDD2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-process-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxStub.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSVGA3D.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2_utils.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Uninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRes.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDriver.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dpinst_86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedFolders.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTIsoMaker.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVBoxDbg.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Install.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSVC.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\load.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qminimal.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VirtualBoxVM.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-math-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDTrace.exe	dnrepairer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3896	sc.exe
4452	sc.exe
2460	sc.exe
1324	sc.exe
2244	sc.exe
1976	sc.exe
6096	sc.exe
5568	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2648	taskkill.exe
5980	taskkill.exe
4840	taskkill.exe
5900	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133677319374064069"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}\ = "IGuestProcess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0D96-40ED-AE46-A564D484325E}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-EABD-4FA6-960A-F1756C99EA1C}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C380-4510-BC7C-19314A7352F1}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4737-457B-99FC-BC52C851A44F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-477A-2497-6759-88B8292A5AF0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5637-472A-9736-72019EABD7DE}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9641-4397-854A-040439D0114B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7619-41AA-AECE-B21AC5C1A7E6}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C9D6-4742-957C-A6FD52E8C4AE}\ = "IBandwidthControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7E72-4F34-B8F6-682785620C57}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}\ = "IMediumConfigChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EBF9-4D5C-7AEA-877BFC4256BA}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\ = "IPCIDeviceAttachment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7E72-4F34-B8F6-682785620C57}\ = "IExtPackFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\ = "INetworkAdapter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E}\ = "IPerformanceCollector"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\VersionIndependentProgID	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\ = "IStorageController"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C6EA-45B6-9D43-DC6F70CC9F02}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E1B7-4339-A549-F0878115596E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DAD4-4496-85CF-3F76BCB3B5FA}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9641-4397-854A-040439D0114B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-32E7-4F6C-85EE-422304C71B90}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B4A4-44CE-85A8-127AC5EB59DC}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B855-40B8-AB0C-44D3515B4528}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0D96-40ED-AE46-A564D484325E}\ = "IMachineEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4737-457B-99FC-BC52C851A44F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-92C9-4A77-9D35-E058B39FE0B9}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\ = "IMachineDataChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ = "IUSBProxyBackend"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FEBE-4049-B476-1292A8E45B09}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8690-11E9-B83D-5719E53CF1DE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\NumMethods\ = "95"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A161-41F1-B583-4892F4A9D5D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-26f1-4edb-8dd2-6bddd0912368}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4453-4f3e-c9b8-5686939c80b6}	Ld9BoxSVC.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe:Zone.Identifier	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4732	chrome.exe
4732	chrome.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
5400	LDPlayer.exe
5400	LDPlayer.exe
5400	LDPlayer.exe
5400	LDPlayer.exe
5400	LDPlayer.exe
5400	LDPlayer.exe
5400	LDPlayer.exe
5400	LDPlayer.exe
4908	dnrepairer.exe
4908	dnrepairer.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
2104	powershell.exe
2104	powershell.exe
2104	powershell.exe
5224	powershell.exe
5224	powershell.exe
5224	powershell.exe
5400	LDPlayer.exe
5400	LDPlayer.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
5544	msedge.exe
5544	msedge.exe
3744	msedge.exe
3744	msedge.exe
2836	msedge.exe
2836	msedge.exe
5868	identity_helper.exe
5868	identity_helper.exe
6208	msedge.exe
6208	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5172	dnplayer.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 52 IoCs

pid	Process
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe
Token: SeShutdownPrivilege	4732	chrome.exe
Token: SeCreatePagefilePrivilege	4732	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
5172	dnplayer.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
4732	chrome.exe
5172	dnplayer.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
424	LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
5400	LDPlayer.exe
4908	dnrepairer.exe
2200	Ld9BoxSVC.exe
2424	driverconfig.exe
5868	identity_helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4212	4732	chrome.exe	81
PID 4732 wrote to memory of 4212	4732	chrome.exe	81
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4060	4732	chrome.exe	82
PID 4732 wrote to memory of 4628	4732	chrome.exe	83
PID 4732 wrote to memory of 4628	4732	chrome.exe	83
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84
PID 4732 wrote to memory of 3240	4732	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.ldplayer.net/apps/samsung-galaxy-a14-on-pc.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb269ccc40,0x7ffb269ccc4c,0x7ffb269ccc58
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1968,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3668,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4832,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4508,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5056,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5044,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5396,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5552,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5860,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5884,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6188,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6180,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6228,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6496,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6592,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6900,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6620,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6612,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7196 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=7320,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7312 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7184,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7468 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=7484,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7612,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7772 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7988,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8076 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=8008,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8000 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=8016,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8428 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=8024,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8564 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=8032,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8692 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=8040,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8820 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=8048,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8956 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=8056,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9088 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=8064,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9220 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=8080,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9256 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=8088,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9492 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=9620,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9352 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5232,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:6008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5504,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6800,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6504,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=6580,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9488 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=6556,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=4868,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6524,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8148 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4496,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6588,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8180 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=4252,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=5000,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=5880,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=6312,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=6200,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8548 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=8156,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9100 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=10196,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=8748,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6716,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1492
- C:\Users\Admin\Downloads\LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:424
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnplayer.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5980
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnmultiplayer.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4840
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM dnmultiplayerex.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5900
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM bugreport.exe /T
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2648
- - C:\LDPlayer\LDPlayer9\LDPlayer.exe
    "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=3040 -language=en -path="C:\LDPlayer\LDPlayer9\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5400
  - - C:\LDPlayer\LDPlayer9\dnrepairer.exe
      "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=524922
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4908
    - - C:\Windows\SysWOW64\net.exe
        
        "net" start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:820
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Softpub.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:4656
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Wintrust.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5140
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" dssenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" rsaenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" cryptdlg.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5424
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5412
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3856
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2640
    - - C:\Windows\SysWOW64\dism.exe
        
        C:\Windows\system32\dism.exe /Online /English /Get-Features
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\6C5DBBC4-B2EE-4E80-88FE-830CB985572D\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\6C5DBBC4-B2EE-4E80-88FE-830CB985572D\dismhost.exe {7E157141-AFA3-4093-B2C5-39890BEE4AE6}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4308
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1324
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2244
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmcompute
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1976
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2200
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
        5⤵
        Loads dropped DLL
        
        PID:5704
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2792
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1388
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6096
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" start Ld9BoxSup
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4476
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5224
  - - C:\LDPlayer\LDPlayer9\driverconfig.exe
      "C:\LDPlayer\LDPlayer9\driverconfig.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2424
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2744
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb11ed3cb8,0x7ffb11ed3cc8,0x7ffb11ed3cd8
      4⤵
      PID:6072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2056 /prefetch:2
      4⤵
      PID:6044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
      4⤵
      PID:4308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      PID:6096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:2424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
      4⤵
      PID:1060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3664 /prefetch:8
      4⤵
      PID:200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3984 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
      4⤵
      PID:3364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
      4⤵
      PID:6300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,8485373871245027991,17739753260269019827,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
      4⤵
      PID:7116
- - C:\LDPlayer\LDPlayer9\dnplayer.exe
    "C:\LDPlayer\LDPlayer9\\dnplayer.exe" downloadpackage=com.samsung.galaxy.a14.trend|package=com.samsung.galaxy.a14.trend
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5172
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3896
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4452
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2460
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
      4⤵
      Executes dropped EXE
      PID:820
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
      4⤵
      Executes dropped EXE
      PID:3148
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
      4⤵
      Executes dropped EXE
      PID:1724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
      4⤵
      PID:3480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb11ed3cb8,0x7ffb11ed3cc8,0x7ffb11ed3cd8
        5⤵
        
        PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=936,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7508 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7100,i,12084168176617932036,18191568579660363237,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7044 /prefetch:8
  2⤵
  PID:5936

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x0000000000000490
1⤵
PID:1268

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5012
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5288
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
77138e2662cdeffd61cf6210ae3fb8ca

SHA1
a085b99630efc74cedd0be9a0eeb57eff7b3850f

SHA256
68c83685da55573ae966db3113ee513dd76ba489024373968e527bd44d814724

SHA512
a4621910aa3ae4b5dfa558e69d0270717341467cf067d9397e2bbf118f789c87eef8750ecb25ffd9c60f51f35ceb40b211ce9a738116c4dfc06e543ac90d1bcc

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.6MB

MD5
6fe5ee1daf303963482ffc414b1f4aed

SHA1
076ebaeeb02853d96e20085fbedaf7e61f3a60d3

SHA256
2685e5c1aa3cdead02024f21abadb413c6dc130946f7b44ca01b0cea64bdd2ae

SHA512
8bc6758c95a53ebcd6b6fd27bdd3165f91bcd8f370d677afb7d599865b57ecad274eb21502235eeb64ad2624046cafa9f14576221b1503e333815df5a6dfe134

Download Submit
C:\LDPlayer\LDPlayer9\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
5be810db8d9326f2071871e506bc347e

SHA1
ace9e86b2c7cd0be79a2108c54a461c59f57ee97

SHA256
52522dfe4341de8d2fa6243445be0dab23344b9d10b39af7ff7b7c862fa391de

SHA512
5c63ef7ac02fd8c27fe022915e40563596b4c6102b7a8ee20fa72d91f944107ec6574b0a7ea89e749fce9962f2d781ee86380d987d0885f18a2807eb1884a10a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cb462333eaf1d2da0640076fd8517544

SHA1
5b97ac80b31652b6dbd4aeac638e7dd335d77913

SHA256
cf4798afdc0e95bdfaf9e2aa7c855de30725da4cc6f918e7c4eafd8381f90eee

SHA512
cf910435681280dae640d734b0356b18bce88fa23ca8658f578f86eed3ba5d9b69baee8563ce9dc6fe7185e92e258c1e3c79ef214ce35b361a0253149a3d374c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
119KB

MD5
329f4f657ed48c0f7898a3be9c615ec1

SHA1
527770ad27b46979f41ab7909a785bc7b767871c

SHA256
7b03cd4d4d1c088f9196cad6d4efee61167fe9fbbfda4498417290ef0f211c23

SHA512
1c42d4c7d47d156e282e1d6c577e1955e8037105a534b5a17289e42d86e89f5321cbec23c832ae62789a819e96e3223d50f01417deaa36d1611e0dc1c4b637a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
27KB

MD5
46e6043b3a70e5986f0b72a748d9e3e2

SHA1
5d3ac460401a49fb84286e0f8b9edf6167530fa6

SHA256
171b12a8c0900d5f0d9e700eb668c02f167ad6f7adce4b9c36201ee10aeae005

SHA512
c0f875ed0d9e05a7439ac9d160edf59ed3b1b384b87dca5b75de3ba11a47a94d543f108ee60aaf421c965c0635408003535795e0f6601afdef4010d982724385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
16KB

MD5
89a574ff00e6b0ec61d995d059ce6e65

SHA1
aea09e96808ab77165ffa712eaa58b8f056d0bb6

SHA256
e5c29c139842fd487473d0824f2c01b374680fb35d22fa929686d17896602a44

SHA512
30d0d40bd680e61968273155b740901cdfa66670fc2af6f23e44c6b998b67cc1fcd0b51bd5f9470f209f188e75d071355e592b2a7c97f4bfd15d07d455e0909d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
16KB

MD5
cfa2ab4f9278c82c01d2320d480258fe

SHA1
ba1468b2006b74fe48be560d3e87f181e8d8ba77

SHA256
d64d90cc9fa9be071a5e067a068d8afda2819b6e9926560dd0f8c2aaabeca22e

SHA512
4016e27b20442a84ea9550501eded854f84c632eeced46b594bcd4fc388de8e6a3fbfe3c1c4dbd05f870a2379034893bfd6fd73ac39ef4a85cbf280ab8d44979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
21KB

MD5
c55dbb2a5e2048f8ac7b88cafbe13ab6

SHA1
6629572a0fd059184b4e5c57687fa414fa7283d3

SHA256
a82abfaf7dd683f673153324de1295a2a952e5b40fbbc581b5fc39603883f5cb

SHA512
61336d53f5f14636ad0552e92bafec6ab262faea08d28143dbe6f631bd6be86ed1b6b2dd5a2127cde53a1405ee4bc8384c3327521571917dc22c7fd553f108aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
63KB

MD5
67e59a06ec50dcd4aebe11bb4a7e99a5

SHA1
5d073dbe75e1a8b4ff9c3120df0084f373768dae

SHA256
14be8f816315d26d4bc7f78088d502eff79dee045f9e6b239493a707758107fe

SHA512
6364515e92ed455f837dcc021cc5d7bbab8eac2a61140de17ff6a67dfdbbd8fbdded5ce739d001a0ba555b6693dafdb6af83424d6643ff6efddc46d391b21d95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000037

Filesize
20KB

MD5
631c4ff7d6e4024e5bdf8eb9fc2a2bcb

SHA1
c59d67b2bb027b438d05bd7c3ad9214393ef51c6

SHA256
27ccc7fad443790d6f9dc6fbb217fc2bc6e12f6a88e010e76d58cc33e1e99c82

SHA512
12517b3522fcc96cfafc031903de605609f91232a965d92473be5c1e7fc9ad4b1a46fa38c554e0613f0b1cfb02fd0a14122eaf77a0bbf3a06bd5868d31d0160e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038

Filesize
30KB

MD5
6fb26b39d8dcf2f09ef8aebb8a5ffe23

SHA1
578cac24c947a6d24bc05a6aa305756dd70e9ac3

SHA256
774379647c0a6db04a0c2662be757a730c20f13b4c03fe0b12d43c0f09e7a059

SHA512
c40f4771c10add1b20efb81ee3b61fc5ede4701587f29a1c2cdde8b6faabd1c76d769bf8b99aa19082012f95d99ba448a472463fb9056acd2e43542e14e605cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000062

Filesize
3.4MB

MD5
9f9bbd12ae5894046810e6736ec4d892

SHA1
9e81b764a40ec39f6667c54b8d40da0b97cb5a7f

SHA256
8d48d0a05d581922a4d30ba98cbf51ea981a37c95fad689e0b84b979e312f6a4

SHA512
57d5b59de422394856e15b2d65c1f2a9e85a1b012c954ecad98682a84c7f90ff00be91819c8ae9cd123270e2cf446d69bfb248bde471a29846d57bf401417eaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00006f

Filesize
25KB

MD5
05e9679509b61424a07cc4d4efb7247f

SHA1
db4fcfac1d89c7e4f0bdbea9023034b64a9dbd81

SHA256
31798b2630a882be758010dfa51b12026c8fd81f0e4068b38fd739cac78cba0b

SHA512
1cbe7343e19b41f3f116a93d598d7b67779d29c6bc0a7b086d112dfcc76fee60811290b67b5d2561751700be483f6cd460b9b4c8325397813314ba064e4c2208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000071

Filesize
57KB

MD5
9d20eb804997d4975bc6dbbeae685370

SHA1
9d865e910aa409ee4b3b502ef91669d0972d911a

SHA256
406b88ec04620adfbc69711d62555ff821f3e8d3441ae6fb1ff0682cc7b36439

SHA512
9ca848c27c244f0300a96e6d90dd1ebc354642e13c5716d195400729cdd375a15ed9cdb8b5997369d20a989c4f97360e0568b1c201518628818bed9c535fe7fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\997ec6074dcf01fc_0

Filesize
54KB

MD5
5bce8f67b0d5202c01c456fd5e34f317

SHA1
ac874f14d36641b98fa09c3fe79ee83d460049a5

SHA256
4ae4fb10d1f151b8946f04c2be38ed3dfa6d45acd9b9c6fb77b4560fdcb42aa5

SHA512
87525523aa1e78f40348edc00f16d78bbae99794cf2b773bd4cc30c19b6568a2598c2f464088c0cc5d79b78305b3f7cc825ca87d66d179cef09367dcce2fac8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d96bd3b61b9f2877_0

Filesize
252B

MD5
9e46df72e43d1e4c7cf8014e4640ca07

SHA1
ef38aacdc7413475c106aa4ddda517b6997cfcba

SHA256
85f06a0687bd3fe45b204f622e3edb326ef40b7d98adb8519c9862510bebcd3c

SHA512
937af1a5029863a3cffc70b922ed5b8d7f4012129127e97d476d53df5a67263924ed4d191f5a56f2a2cb113bca6d46d1be328f318c0e0f931ee859d616ee9c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
0211c28f5af7544f8014696f003311d7

SHA1
1f2db9ff3ace44864e1fa7b650a9cd047841fb68

SHA256
4b940f4ec93938af254ac7634e140338a760feb6211766d4888cc2982bc30696

SHA512
54b13dd5dd39b1377175f40dbedc704c43c690f778bde43b8fbe1952e3a8bef597ffd4dc27ffceac8e74ab320b290387c815db053679837f56eb7400646709c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\65e337d7-394a-44c4-b3e2-e77be3ac4c5b.tmp

Filesize
3KB

MD5
8a1bb0a90a21659619b2134700dd653e

SHA1
c32e8b44ee71aa31bdf6ec4147bce9943cd88b29

SHA256
b775e3645515126b8025259d9f868787fc6016ac019b25e3a6a6938497dbe1af

SHA512
912d53cead8bae4d16904a6836055f480195d4fe651e4460f062c602f01dbb4613ffb547e830948aa9575cbf3b7efdb37c13cac0c5a39741e01f299d86bc99d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
34KB

MD5
031f979e7804c12be42953b75ee24298

SHA1
b6c484320ad505e6417d3d50c14acb89addd48e3

SHA256
a6ba4896ca31da28ea74fa828c8d46aeb4b47249c0292844c3b592f38f05c6b3

SHA512
a1491760d244482947168835b2fbfe17967c130acae1ed27859c56faed52bef3e355501fae8d1b37ac70e7d291b3892f5f2c89feda7359b92ac8340e5498e90a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
32KB

MD5
a923aa9f1c01cdffadcc045d3280e58b

SHA1
bda4e89434c59ff11c50ec95a6e12a78921eaa90

SHA256
bccb37cb64e871f5d5fdc1d25237a744433fcf7425a0812be9c8b78101a0b749

SHA512
79e912d10232e06e2abe7220dc81f34c716d960789fe0e17c9c9faea5bb7e0a4a33538b2a41b3fd03ce47865b20e7434813743c0d67ec71aef75fe00c027bf6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
658126ab612e59a6c24b528d4ae8b5d6

SHA1
d2246adbb6e2442e9d426c662ef41c8b3f9e2408

SHA256
3b474c18199c614aad4ecf7572df3387614705b105a39cd4a3e69e8da689badf

SHA512
a7e0c15234ac4ed364ecc5c66a02e5d40da0a209c6bd6b0081a1f4bea4974d3ad4f0ce3081e30ddccab05a4191ecb227bcf48281dd47eb4c0ec3c7bf5de2ec86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
fcb34b783bca583026a079cd20dc1054

SHA1
b0d99429bcee854c2cea6a5b7ff5d5e242d9fafc

SHA256
74eef1b902beb41f22c42d379f8716b582e02c6a2c85cf6f7205f54a1b8da71b

SHA512
b70c425d89581c9a8612686ecf925d310fa06fc9834661c67425c7d98864ba236c3bcc2855b66b660144b7aef83a00d7e5581a5333f112e72ef2d9178f0abdbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
502385e4091681d53a0bd41e8a574156

SHA1
bd1a53175130fa974cded45146eb6fa9210bf3c0

SHA256
06f89a42f77fa9ef33f4cae248cdae7a25afacd258a6db0104eca61d01851075

SHA512
b6492365ea647b45ccc530828f3a5a49d07d98c0fe9e05d38a744d274acf3139e0c9d91403708cba563fd47e12e653a6e33eedf7d1c3f5c368214b12d226bb9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0d3a2952efe8756f004ff5dd818a0640

SHA1
db896007961776ff81eaf21300d949024cc994dd

SHA256
3a8825e0c33ac285716ef58f54c5fafb8117de236b71ee69bad4982498ddf27f

SHA512
2704b699e0604805e041664fd9ce35dbce47eef59862927c1e0b73dfc546b321efdd63ab06efd04e580b5c0e6bead31a092fa089262c002191f8ee20287e315f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddbf1d6c86a66fcf15625900671317a4

SHA1
bc08e0c24663515723bee9ffd7d5b81448446933

SHA256
31f30588e14a7fe566bdb810f79b3590e8a6d04117e10ab31c278deabcdef343

SHA512
fdccee2179c6f60338f3b33254781ab5274b10484449d475f622917f6617247614cc2c16e7b72b0c6f20300b1c39b812e33c3dd0d4baa48628027218ff8852ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84c0530f335f7017bdf7b44c74c096a4

SHA1
59039ef74c70d6fc20321f0589b898e1c13afd77

SHA256
9c2400d88991ec94437e75f715c2fde15cdf9cdf38c78744636c67091c11969b

SHA512
60d3b87c83bce06503410c0ae0f00755d3f3048896ae70ef371e81f4b890bfae24a7e8a18f8aba5e759f0bd2ff85dbdd000e145107109c3871fd50373b1b5681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6bc92758e151026fac5f3e3b16f5637

SHA1
3caeeae7511c0454069e529fad7f0989fe12fc0c

SHA256
153e4343f6801f6599c502ed356dccc33a8e68fe98676734e9dbaeef2742784a

SHA512
277c95edd3cd7e4379caea23ea6aae9811eff4040f4e890d63ec8c522c56e6e5fe728b906a731eee94fe2a4485d3e131fb0cc8c4d46e984ab3092e691f04d78b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5ca9e25ab2aaea753d278380d8cb04f5

SHA1
ff9f38cf4f98116faf140c3464100c41931738a9

SHA256
798261b876525c3b1a51bc883269bff818621e7a468fde7f0f340fecb8e1bac3

SHA512
45a41d1390f257756bc03b2bc5b22631030f5ee2195b8ab42dd83ce0e100f5c6e22580e9e219d48fbd75c7033bf8101fab2a38f8cb12908ef65643ee4ea018c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b74905d4f8de606bb3e923412398f828

SHA1
5dc688fb41dd6f2cbc1ba2b2c4d77865070ab392

SHA256
99efcad7a7bc9a82ca0d81488f3347db80d560176b71929e74c448357484c23c

SHA512
c91e11c1b64f93214ec20930b4f17c9677405eb2629895b6e3a2bdd173f5a3743686c8e743081ba25e07bc3f864649d021b6a846febab7ab8e3ccfea6d797c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6bc178d68df37997d702f3b14c67b813

SHA1
2984a57e3e96e7f6a668a6fbe01affa104ddc592

SHA256
40ab53b975af29d541dbc9c51887ebb23a44db0b43fb5964e1f8adbb74f15b69

SHA512
edd03a3b4e15ec6433c13f442fd03937c23637cc89f9bfdf4a7b434f4c403c19f8e10c58ebef37fb4bf0bee63434b9e8f53a02919855ac5f189cbed55a40b8c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
04fb756d787b0782e9b4942a67ae3fdd

SHA1
ab5ac56ee43222afb20d060edb47d7e5d7115af9

SHA256
fcab9440b848198c3d589830b9b9f801d59efff52c4d80004335d55c21078154

SHA512
a6b8fe82467c8bf9a149c25787b6f0055267c72fff4f4b2333450060ace81f88e4d54331c9182879c77f6cb0bae534ee47b9a2b9f962a9ed8d59bb4e2517f8ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c842dece33d56128d145f8773b937f09

SHA1
7905ec78a8dffc26410fdedbb3ca2763128941fc

SHA256
81ad318d6743d30b741e36cbd8ebbd9cc63898ef22804ace90d5b1b47c37e3cf

SHA512
8356bd1f688869864c79d0048280e8369ae7d6c264576c9078476b368ed4c6481f5879bf1c8099cb085329e49ba56e5ce6e845a1cfb7f0bd186d7a4ac8a34fa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86a718ba079854a355491f30ea121ff6

SHA1
8bfc17aeee4a13b043cdfb427d322a9ea01b6a30

SHA256
836418ae32ea83f15d3e85601550b824cc848b12f1e6ee44945a4da1549012e6

SHA512
1710fcc114c93b099626dd2d8b63c770506ab147c3af067dbf6d77d18fea104e54c3cfa8ac5507d582bd44bca44396ad7b043d719534a0fba761d1a7bc08db1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
420cd4ad0c745ab07802e2271e1f933a

SHA1
33bff2d1ae7674b830d336df7a3098658a4be04d

SHA256
49b41a42db165bd928e69ee9ccd9596c97e832bf83156fd792e6b3cb0d4782c0

SHA512
e7d66ec512c9f2983ff58b039d807434bf03e93579c9183d43998613c321a718e483a8bcd363a5cbc2d21ed7373aa9d74868dd5fd3262b68f120f226368b361d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddd32b07580ce3c33757ccc4b19ef212

SHA1
93820feb36fab5ded021d2ee1cb9d01cb7caf950

SHA256
da56e026139acc14491183288404c6aae126a7fbb5c570c76d1217beb7e3767e

SHA512
110ea68b6fc090b5462f5c8b5d405a986c128d4c826ca1c09c4e32dcfff8317eb801b1f9a6de2f6ea17bf102b0064493606d1448f41423eea9651875367988b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43cda4eeb87fa49c19eb141217c85643

SHA1
dbced252a04de08ddf53b4b2c20804f7f3a6469c

SHA256
433ee4000f57452ddb23a886553f760da289e3b9dba4d3700e008159020c6692

SHA512
3de4d260bfc2c63d9ba5d73d35ff88503a988fbc49780ee6ed73a44998a9045c0f920912f76db8f7b07efae0151d93a5e10926fb683d12d2d5274a4081eb9370

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc5eb66889465d97c35878d63cab63c2

SHA1
7084a8ad7bdeaeacf1b3692caab60008050b41b6

SHA256
472caf8d4b699759d9f5d2db8dce86b2738a3afa6c7ce1dc01d5c85bf7b25e4f

SHA512
a06ad680d0fc5bd1f8e3e768ce18455315aa409514dcec4c396c2df3fdfca8e302f3577e84bc8a4bc472b28859a13bd87e09bd07ec021a7343c93de8ac0bc59d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dab366a147359a379742746d1777cf9e

SHA1
d9cb73b099df14f0549a1d4d5a62833155980945

SHA256
cba229d43a325ea8180a81019d4da26dde423b8aa361613fa253806268563cc5

SHA512
402b48f6b622ff5a9eb0d519c37b8260fc2c6491349f2e3dbba9e4c4f324897b7eb1c5f5e6c612e4f7c6f674ad9d00d2763bf1973c11242406d4d9845dd0d324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
813e58b8e21d0b1748f74a8d662756e2

SHA1
47b10130867d1c5494612e027a67e05e18c96de8

SHA256
82423b427fdff54d1ad5de41e2771e9887756dd19a6fff0d62b82540df60e03a

SHA512
4b35cc85343c5bc9eb6a568a5ee977649b4a6ba76c127dbedf3c33dbc4adf953ee26b27049b575093c55357617e1747b25b7ef7ffca7766fe6473a9531652a09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
6ec495d1fdd79d5d3d8494b7dd53e0b9

SHA1
e940089f89617fcd904117805da5c63919ee7deb

SHA256
ad4ef8376f7da9965233be86fca60a77edb07281a1965d8051b7f7cea05d7129

SHA512
76f5b82edac5e9a27b8e004e998287d2074c0ab37c064156e9a5eee446f500c825956c46980e867553bc266f16393747f358ab833984bf9084c7c077483fa1db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d328ea932e26bebe4d0a45aa4ba9077e

SHA1
87b42d694509c3b349af7c77eae9d7648533bfae

SHA256
72dde9bd579b0baccc69f6b564f3745ddf5dd34974c0020bd8e33f93fdf8f4d3

SHA512
089610c83aed2d7c5e99bdb20ac58e2fae48e67c92d88839131795635d0f6b680b47781538ae75dd9177c08480e524d5c20dffddc42d649ef7c222028114a26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
32KB

MD5
5730615dc0f2a7841ccefa2564c0767e

SHA1
072ad6e1e8b062b4e9fd38568398b3982118319b

SHA256
1d4f1a8a04ab19cecffe2b2abfc2bca6e58a2223863524a5c4884e234a2f1824

SHA512
87ba2f3e3f1bd61dce7f49c09c9153a9abd168f0c49ea5390fc0e16c9c78f5ca5a997354cadfd997fdfa9f53afa7aed3ab3198ca3329c701dfb971fd580be372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
110KB

MD5
fb27a5afc7d344e6c83f807c6d8892dc

SHA1
4304f79089a599fa89e5ffec15a93d9ebf042285

SHA256
ef2f8bb51abc91e0640ee8d2d37b912feacb3c558b4da1b719020557408fa24c

SHA512
90b8e77c45cc92e44d4f1c43e9b2faa99e4834dd1c3cf28a118c5537580a17d1b10c87ce7b731a9c884866a1812fe59196bbd2eaed60b7edcfb59ce7853628fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
142KB

MD5
596016ca0cd6c3cca538019f694f03b4

SHA1
fd88c29039b1f7149bc569e50f5970c5a4452697

SHA256
4450ee7f6bbcbf4b33c15db024b058a7c312b10da7baa80b8e6cf62275622c1e

SHA512
d4821ec1c73013e5f5329cf3b1d75442fd58b4f5b53d9e93901484bc334ad6f066641f8249fbababf373768b32c3a20b607e0ad46c48ffad88cf3d579c1239f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
36KB

MD5
72ba3480e1aecb7a48c67e9ca03f646a

SHA1
12872e46c044abf567c68b965328c088ba1297ad

SHA256
8a6df58943d92b54faeb6d173cc7e57ffd12d9cbd40f9d02612d1779e4433e25

SHA512
29837341a677ee47c010651756bfa753c7a71e915dd108af88f4df83820233048e90cffe1a9b8972ab9a7a8f9086f48917ad8a297822ceea72b731ff8c0e8e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
369de3bd685199d14ff6882482af997c

SHA1
74251279cb60e4a0d4ce192cef9563e0da69b590

SHA256
86f13e122a4bf3401c36418a3445229e887b38f96ef96f437eb723be166d61e6

SHA512
1b632c1c2916563ec45e81d87986637584579c5120fc60aca442309e2252a4bc12173b31ff09089a50150f612f9987283fe10dbba68165b9744409243fef367f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
63c5b7b0a5064612c5691213d4e0bc30

SHA1
8b2bc07a935b5a41a158bc3db17a6c61adcbfe80

SHA256
5d81a5c595045611ca96cc0aa82e3fa5912abd384e6f31a046442b7e72ec4fe0

SHA512
bf8cc83b7563faa6d04f0a000cad9d23ff90f262efaa08ab6d7decfed9fadab057013b839141307306581d209dcd8dc819f37b17f4fb5aed4684c398cfc4867e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41f2f6b7b067ec9b07ec5ef31e655420

SHA1
76bb02d14bb7d468c3b0306dd3b4c4f0211bcd6b

SHA256
8bdb570410e9de2a901ed6c41fb51cb22200e26e5e99f532cd5f3fde43692a61

SHA512
5b8017af0ddd9066b1181e77cb182bd53a340c49b8634619ee2832002b8108b683aa4be199e27f1839c83c9223682126ec137e6d59ef41fe84d36f38b8608978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
26a87ec6680ee093355fb52e980fa24a

SHA1
415b66b4d86914ab043dfca125880c9b24e12436

SHA256
ba9b8fcd2cbe9fdd19096b48301bec18c72295a29dc2ea7d803e375e31ef32a5

SHA512
862b1d422ec6eff878831198ac05762aa9060b38ce2f1d645467b6e551eee6d6f21b0dbd9a963895adbbc575a5291d0adcb84930f0332277b0676734698e0ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
122bc474329d1166de9772dfd890ca35

SHA1
2765798669b0315c0da9016bf4e5733eb7c10616

SHA256
ec52df492f7b111317a427ef274fffe711f6022b8cacb5b3e1f83a81688b2b16

SHA512
536a629c8fceb36791e2de66badf4f0bd0388c06ad273b3591136ebfeec9fcd8624b7d0bf24ac95440a2b7c222399c6850faf40c8990f350589b948660f58cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c643e884b82232d798ad60952c5988db

SHA1
6d0c00fb407974b68dcc8a20c3a0f0342bb96e93

SHA256
7ea113654f2dd32c56940893a7539e7cf47de2e7b69142ff2b97e3acd6110c8d

SHA512
d020eb0b3dbffbc18dbf4d63ae37a0fd0bfea190035ace18ad135cc7db52096373ede0452ee436db45999b58f8d2ef42750d231d247243393f4c65900c1bb82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ad39d.TMP

Filesize
1KB

MD5
754db9a1d4e9c5a8a2e824cbcd8ea520

SHA1
65c0d9cdd70ad5f49b36a80a7856fc11a8d26f94

SHA256
5f152db2e4ebe538a18db2fe32f0fdbeba6f92a90f02f0ab1f4990969e761e5c

SHA512
25a4167d2c2c8ae7a553a0544ec12e6e596f79d1b54a1b8e3fe50f0ffaa9ad9204542b58c952fc46d472f0a78f8ad9c6142e8f43cc8022749b6a6fdf715f276f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dacc50073b592f9da990d4ccf2d03f94

SHA1
1b7ec048427972b5493671c0e0cafa35aeb22c5d

SHA256
c974ffc89a909822720a433359eb795d466346796ac9008e600ee10b9f3e2fe1

SHA512
948b69312416997c00f0d5593b2b85ce419e2095dab4008bf42b8a1d8e7498ba48b049137f2a29ec496edc05a266f7d3cd7b3d78200c89d135e74a88f8589844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8578e376993dad28d1f714cc6ec4b3b8

SHA1
2329dfda7f12578f22ad75fdbc71a6819f0d849f

SHA256
1217b68fbabec00e15c5c251e2e32c7848c045c6fef70bfa41a63f917cfd9d6a

SHA512
3aa1dad04cf84215150dd9025fe27bc708af4c1505bad0c75f3363fd086475289997db954625d5a91262cca89df7a08b8be0d92dd0528942c1a4271fd08919a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
79KB

MD5
d9cb0b4a66458d85470ccf9b3575c0e7

SHA1
1572092be5489725cffbabe2f59eba094ee1d8a1

SHA256
6ab3fdc4038a86124e6d698620acba3abf9e854702490e245c840c096ee41d05

SHA512
94937e77da89181903a260eac5120e8db165f2a3493086523bc5abbe87c4a9da39af3ba1874e3407c52df6ffda29e4947062ba6abe9f05b85c42379c4be2e5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ecpg512.v1m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
73KB

MD5
b2e3ba2084f827f2e46a917983363f0b

SHA1
41fd27f8688b7a755abc0acc72a2a6a0e1045c78

SHA256
7daa3d35584a7e87c3e8e3afeb436d088209966471d6c766328087823f1f3e73

SHA512
4aea989bda6efc91836264f04f23fb3760764e3ef7809f618ad949c2e64b5a167fe5d054607535ec22fea4942d9ddc5ea7f70a1f529ee23633c1cd275d90e508

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_com.samsung.galaxy.a14.trend_3040_ld.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
23KB

MD5
dbfb2348e18a5eef81bf3b73148c2d65

SHA1
6ab7aff84353763da77f8652de095e70181f3d3b

SHA256
69e873ca05dd088ddb5e382634bd55f4d01b4e33f3874508276085dc7082aea3

SHA512
c8455b2176f558449606898696acdef997fcb82c52286b35c083a37ab2fa6ed18110333ae49dd7a1aecce996df8ffe52a3d8164934e0fd2eb6b06ea23ebfcd8e

Download Submit
memory/424-1105-0x000000000B390000-0x000000000B442000-memory.dmp

Filesize
712KB

Download
memory/424-1111-0x000000000B5D0000-0x000000000B5EE000-memory.dmp

Filesize
120KB

Download
memory/424-1113-0x00000000727A0000-0x0000000072F51000-memory.dmp

Filesize
7.7MB

Download
memory/424-1063-0x0000000006670000-0x0000000006686000-memory.dmp

Filesize
88KB

Download
memory/424-1106-0x000000000B330000-0x000000000B34A000-memory.dmp

Filesize
104KB

Download
memory/424-1066-0x0000000008D80000-0x0000000009326000-memory.dmp

Filesize
5.6MB

Download
memory/424-1067-0x00000000088C0000-0x0000000008952000-memory.dmp

Filesize
584KB

Download
memory/424-1077-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/424-1078-0x0000000009880000-0x000000000991C000-memory.dmp

Filesize
624KB

Download
memory/424-1079-0x0000000003500000-0x0000000003566000-memory.dmp

Filesize
408KB

Download
memory/424-1080-0x000000000A2C0000-0x000000000A7EC000-memory.dmp

Filesize
5.2MB

Download
memory/424-1103-0x000000000A1B0000-0x000000000A1BA000-memory.dmp

Filesize
40KB

Download
memory/424-1059-0x00000000727AE000-0x00000000727AF000-memory.dmp

Filesize
4KB

Download
memory/424-1104-0x000000000B180000-0x000000000B1D0000-memory.dmp

Filesize
320KB

Download
memory/424-1064-0x0000000073060000-0x0000000073076000-memory.dmp

Filesize
88KB

Download
memory/424-1107-0x000000000B4A0000-0x000000000B4B2000-memory.dmp

Filesize
72KB

Download
memory/424-1108-0x000000000B510000-0x000000000B530000-memory.dmp

Filesize
128KB

Download
memory/424-1109-0x000000000B570000-0x000000000B5A2000-memory.dmp

Filesize
200KB

Download
memory/424-1058-0x0000000006350000-0x0000000006360000-memory.dmp

Filesize
64KB

Download
memory/424-1182-0x00000000727A0000-0x0000000072F51000-memory.dmp

Filesize
7.7MB

Download
memory/424-1110-0x000000000B620000-0x000000000B686000-memory.dmp

Filesize
408KB

Download
memory/424-1156-0x00000000727A0000-0x0000000072F51000-memory.dmp

Filesize
7.7MB

Download
memory/424-1119-0x00000000727AE000-0x00000000727AF000-memory.dmp

Filesize
4KB

Download
memory/424-1112-0x000000000B5F0000-0x000000000B60A000-memory.dmp

Filesize
104KB

Download
memory/424-1115-0x00000000727A0000-0x0000000072F51000-memory.dmp

Filesize
7.7MB

Download
memory/424-1967-0x00000000727A0000-0x0000000072F51000-memory.dmp

Filesize
7.7MB

Download
memory/424-1114-0x0000000006350000-0x0000000006360000-memory.dmp

Filesize
64KB

Download
memory/2104-1805-0x000000006E170000-0x000000006E1BC000-memory.dmp

Filesize
304KB

Download
memory/4476-1776-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/4476-1790-0x0000000007650000-0x000000000765A000-memory.dmp

Filesize
40KB

Download
memory/4476-1793-0x0000000007820000-0x000000000782E000-memory.dmp

Filesize
56KB

Download
memory/4476-1763-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/4476-1764-0x00000000055B0000-0x0000000005BDA000-memory.dmp

Filesize
6.2MB

Download
memory/4476-1765-0x0000000005C10000-0x0000000005C32000-memory.dmp

Filesize
136KB

Download
memory/4476-1774-0x0000000005D90000-0x00000000060E7000-memory.dmp

Filesize
3.3MB

Download
memory/4476-1794-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download
memory/4476-1791-0x0000000007860000-0x00000000078F6000-memory.dmp

Filesize
600KB

Download
memory/4476-1789-0x0000000007C20000-0x000000000829A000-memory.dmp

Filesize
6.5MB

Download
memory/4476-1788-0x00000000074B0000-0x0000000007554000-memory.dmp

Filesize
656KB

Download
memory/4476-1787-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/4476-1775-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/4476-1792-0x00000000077E0000-0x00000000077F1000-memory.dmp

Filesize
68KB

Download
memory/4476-1777-0x0000000007470000-0x00000000074A4000-memory.dmp

Filesize
208KB

Download
memory/4476-1778-0x000000006E170000-0x000000006E1BC000-memory.dmp

Filesize
304KB

Download
memory/5172-2306-0x000000006C3A0000-0x000000006DD9B000-memory.dmp

Filesize
26.0MB

Download
memory/5172-2302-0x000000006BC30000-0x000000006BCAE000-memory.dmp

Filesize
504KB

Download
memory/5172-2303-0x000000006BBB0000-0x000000006BC2A000-memory.dmp

Filesize
488KB

Download
memory/5172-1934-0x0000000036D20000-0x0000000036D30000-memory.dmp

Filesize
64KB

Download
memory/5172-2305-0x000000006BCB0000-0x000000006C256000-memory.dmp

Filesize
5.6MB

Download
memory/5172-2304-0x000000006BB50000-0x000000006BBA9000-memory.dmp

Filesize
356KB

Download
memory/5172-1915-0x00000000010C0000-0x00000000010D6000-memory.dmp

Filesize
88KB

Download
memory/5224-1824-0x000000006E170000-0x000000006E1BC000-memory.dmp

Filesize
304KB

Download
memory/5224-1823-0x00000000064F0000-0x0000000006847000-memory.dmp

Filesize
3.3MB

Download