961c58e8acfb2e8e79defdc4bca76cca7a1b35093cff40de257c0ad936ccd7c4

Resubmissions

20-11-2024 19:12

241120-xwpnes1qcy 8

20-11-2024 19:03

241120-xqcfxawlhp 10

20-11-2024 19:00

241120-xnpy8a1pb1 6

Analysis

max time kernel
344s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

18KB
MD5

eb13fcb8e05c49d2125a5d253d88c87d
SHA1

db5ba1b0b0c111c9946666f800bbd83d1cd20c95
SHA256

961c58e8acfb2e8e79defdc4bca76cca7a1b35093cff40de257c0ad936ccd7c4
SHA512

e562afa3f750e517ab9651d5e52a3c0c6948e3f38d63eb6e5e308060503d7e404bb598e621846ccd205283e1df473e5c0f76fcfa4724e8b577824c22406d0a2f
SSDEEP

384:wjn1ocy4OoJ4lbGa/MvhpNFgDR9CRlObz6r0sZuL2fN1xCejiw:wjn1ocy4OoCEaEJpNKDJbz6r0sZuLULn

Score

8^/10

discovery execution exploit motw persistence phishing privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\Dll = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLPUTSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubDefCertInit"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

6040 icacls.exe
6636 takeown.exe
744 icacls.exe
4324 takeown.exe
6788 icacls.exe
7044 takeown.exe
A potential corporate email address has been identified in the URL: currency-file@1
phishing
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

pid	process
6040	icacls.exe
6636	takeown.exe
744	icacls.exe
4324	takeown.exe
6788	icacls.exe
7044	takeown.exe

Executes dropped EXE 16 IoCs

Processes:

LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exe

pid	process
3832	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
3424	LDPlayer.exe
1356	dnrepairer.exe
6760	dismhost.exe
5196	Ld9BoxSVC.exe
5312	driverconfig.exe
7128	dnplayer.exe
6648	Ld9BoxSVC.exe
2436	vbox-img.exe
2188	vbox-img.exe
6912	vbox-img.exe
1628	Ld9BoxHeadless.exe
4620	Ld9BoxHeadless.exe
5208	Ld9BoxHeadless.exe
6616	Ld9BoxHeadless.exe
5236	Ld9BoxHeadless.exe

Loads dropped DLL 64 IoCs

Processes:

dnrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedriverconfig.exe

pid	process
1356	dnrepairer.exe
1356	dnrepairer.exe
1356	dnrepairer.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
6760	dismhost.exe
5196	Ld9BoxSVC.exe
5196	Ld9BoxSVC.exe
5196	Ld9BoxSVC.exe
5196	Ld9BoxSVC.exe
5196	Ld9BoxSVC.exe
5196	Ld9BoxSVC.exe
5196	Ld9BoxSVC.exe
5196	Ld9BoxSVC.exe
7132	regsvr32.exe
7132	regsvr32.exe
7132	regsvr32.exe
7132	regsvr32.exe
7132	regsvr32.exe
7132	regsvr32.exe
7132	regsvr32.exe
7132	regsvr32.exe
3492	regsvr32.exe
3492	regsvr32.exe
3492	regsvr32.exe
3492	regsvr32.exe
3492	regsvr32.exe
3492	regsvr32.exe
3492	regsvr32.exe
3492	regsvr32.exe
3492	regsvr32.exe
3592	regsvr32.exe
3592	regsvr32.exe
3592	regsvr32.exe
3592	regsvr32.exe
3592	regsvr32.exe
3592	regsvr32.exe
3592	regsvr32.exe
3592	regsvr32.exe
7092	regsvr32.exe
7092	regsvr32.exe
7092	regsvr32.exe
7092	regsvr32.exe
7092	regsvr32.exe
7092	regsvr32.exe
7092	regsvr32.exe
7092	regsvr32.exe
5312	driverconfig.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4324 takeown.exe
6788 icacls.exe
7044 takeown.exe
6040 icacls.exe
6636 takeown.exe
744 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe

description ioc process

File opened (read-only) \??\F: LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

777 discord.com
778 discord.com
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

316 https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

pid	process
4324	takeown.exe
6788	icacls.exe
7044	takeown.exe
6040	icacls.exe
6636	takeown.exe
744	icacls.exe

description	ioc	process
File opened (read-only)	\??\F:	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe

flow	ioc
777	discord.com
778	discord.com

flow	ioc
316	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Drops file in Program Files directory 64 IoCs

Processes:

dnrepairer.exe

description	ioc	process
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcrypto-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstPDMAsyncCompletion.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Uninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBugReport.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTIsoMaker.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstAnimate.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMMPreload.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dasync.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDDU.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5WinExtras.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\UICommon.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2_utils.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuth.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxRT-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\GLES_V2_utils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBalloonCtrl.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\padlock.dll	dnrepairer.exe

Drops file in Windows directory 2 IoCs

Processes:

dism.exedismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1720 sc.exe
2332 sc.exe
4220 sc.exe
5944 sc.exe
6820 sc.exe
6968 sc.exe
388 sc.exe
5088 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1720	sc.exe
2332	sc.exe
4220	sc.exe
5944	sc.exe
6820	sc.exe
6968	sc.exe
388	sc.exe
5088	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exeregsvr32.exepowershell.exeregsvr32.exeregsvr32.exeicacls.exesc.exeregsvr32.exepowershell.exedriverconfig.exesc.exesc.exenet1.exetakeown.exedism.exeregsvr32.exeregsvr32.exednrepairer.exenet.exeregsvr32.exeicacls.exesc.exeicacls.exednplayer.exeregsvr32.exesc.exeLDPlayer.exetakeown.exesc.exeregsvr32.exesc.exesc.exepowershell.exetakeown.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dnplayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

dnplayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeLd9BoxSVC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\NumMethods\ = "39"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ = "IMachineDebugger"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-23D0-430A-A7FF-7ED7F05534BC}\NumMethods\ = "22"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1BCF-4218-9807-04E036CC70F1}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E254-4E5B-A1F2-011CF991C38D}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486E-472F-481B-969746AF2480}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5FDC-4ABA-AFF5-6A39BBD7C38B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC19-43FA-8EBF-BAECB6B9EC87}\ = "IVirtualBoxSDS"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C6FA-430E-6020-6A505D086387}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FF5A-4795-B57A-ECD5FFFA18A4}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0979-486C-BAA1-3ABB144DC82D}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0979-486C-BAA1-3ABB144DC82D}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-808E-11E9-B773-133D9330F849}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A75-437E-B0BB-7E7C90D0DF2A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}\ = "IGuestProcessOutputEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\ = "IDHCPIndividualConfig"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\ = "IDnDBase"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7006-40D4-B339-472EE3801844}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E621-4F70-A77E-15F0E3C714D5}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1F8B-4692-ABB4-462429FAE5E9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4022-DC80-5535-6FB116815604}\ = "INATNetworkAlterEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-47C7-4A3F-AAE1-1B516817DB41}\ = "IRecordingSettings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00C2-4484-0077-C057003D9C90}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4C1B-EDF7-FDF3-C1BE6827DC28}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-93AF-42A7-7F13-79AD6EF1A18D}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8690-11E9-B83D-5719E53CF1DE}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-a1a9-4ac2-8e80-c049af69dac8}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3346-49D6-8F1C-41B0C4784FF2}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods\ = "25"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-394D-44D3-9EDB-AF2C4472C40A}\TypeLib	Ld9BoxSVC.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 175071.crdownload:SmartScreen msedge.exe
Runs net.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 175071.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeLDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
3356	msedge.exe
3356	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
3932	identity_helper.exe
3932	identity_helper.exe
6640	msedge.exe
6640	msedge.exe
6640	msedge.exe
6640	msedge.exe
6664	msedge.exe
6664	msedge.exe
3832	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
3832	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
3832	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
3832	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
3424	LDPlayer.exe
3424	LDPlayer.exe
3424	LDPlayer.exe
3424	LDPlayer.exe
3424	LDPlayer.exe
3424	LDPlayer.exe
3424	LDPlayer.exe
3424	LDPlayer.exe
1356	dnrepairer.exe
1356	dnrepairer.exe
6712	powershell.exe
6712	powershell.exe
6712	powershell.exe
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
6496	powershell.exe
6496	powershell.exe
6496	powershell.exe
3424	LDPlayer.exe
3424	LDPlayer.exe
3832	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
3832	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
4624	msedge.exe
4624	msedge.exe
6376	msedge.exe
6376	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
2028	identity_helper.exe
2028	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dnplayer.exe

pid process

7128 dnplayer.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

656
656
656
656
656
656

pid	process
7128	dnplayer.exe

pid	process
656
656
656
656
656
656

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exe

pid	process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe
Token: SeDebugPrivilege	3424	LDPlayer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeLDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exednplayer.exemsedge.exe

pid	process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
3832	LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
7128	dnplayer.exe
2012	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe

Suspicious use of SendNotifyMessage 57 IoCs

Processes:

msedge.exednplayer.exemsedge.exe

pid	process
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
2012	msedge.exe
7128	dnplayer.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exe

pid process

3832 LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
3424 LDPlayer.exe
1356 dnrepairer.exe
5196 Ld9BoxSVC.exe
5312 driverconfig.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2012 wrote to memory of 5068	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5068	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 5028	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 3356	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 3356	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe
PID 2012 wrote to memory of 4608	2012	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95aa946f8,0x7ff95aa94708,0x7ff95aa94718
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8320 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8716 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8720 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8408 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9008 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8824 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9656 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10192 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9784 /prefetch:1
  2⤵
  PID:6676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9528 /prefetch:1
  2⤵
  PID:6868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8508 /prefetch:1
  2⤵
  PID:6876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9320 /prefetch:1
  2⤵
  PID:6236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9548 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=10112 /prefetch:8
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10568 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11012 /prefetch:8
  2⤵
  PID:7092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9568 /prefetch:1
  2⤵
  PID:6292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10092 /prefetch:1
  2⤵
  PID:6284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9972 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6664
- C:\Users\Admin\Downloads\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_com.supercell.brawlstars_25567197_ld.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3832
- - C:\LDPlayer\LDPlayer9\LDPlayer.exe
    "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=25567197 -language=en -path="C:\LDPlayer\LDPlayer9\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3424
  - - C:\LDPlayer\LDPlayer9\dnrepairer.exe
      "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=655870
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1356
    - - C:\Windows\SysWOW64\net.exe
        
        "net" start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:848
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:652
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Softpub.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:932
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Wintrust.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:6956
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6988
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6968
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" dssenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6492
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" rsaenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" cryptdlg.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5036
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4324
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6788
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:7044
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:6040
    - - C:\Windows\SysWOW64\dism.exe
        
        C:\Windows\system32\dism.exe /Online /English /Get-Features
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\9B674299-086F-4AFD-B49A-D867D0B39986\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\9B674299-086F-4AFD-B49A-D867D0B39986\dismhost.exe {FB17558C-DEF8-49E9-A303-58EB14763D78}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:6760
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6968
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:388
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmcompute
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5088
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5196
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
        5⤵
        Loads dropped DLL
        
        PID:7132
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3492
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3592
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7092
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1720
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" start Ld9BoxSup
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6712
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3944
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6496
  - - C:\LDPlayer\LDPlayer9\driverconfig.exe
      "C:\LDPlayer\LDPlayer9\driverconfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5312
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:6636
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
    3⤵
    PID:6712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ff95aa946f8,0x7ff95aa94708,0x7ff95aa94718
      4⤵
      PID:5648
- - C:\LDPlayer\LDPlayer9\dnplayer.exe
    "C:\LDPlayer\LDPlayer9\\dnplayer.exe" downloadpackage=com.supercell.brawlstars|package=com.supercell.brawlstars
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:7128
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4220
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5944
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:6820
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
      4⤵
      Executes dropped EXE
      PID:2436
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
      4⤵
      Executes dropped EXE
      PID:2188
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
      4⤵
      Executes dropped EXE
      PID:6912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
      4⤵
      PID:2872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95aa946f8,0x7ff95aa94708,0x7ff95aa94718
        5⤵
        
        PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:6852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95aa946f8,0x7ff95aa94708,0x7ff95aa94718
        5⤵
        
        PID:208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        5⤵
        
        PID:1140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
        5⤵
        
        PID:4316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
        5⤵
        
        PID:5524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
        5⤵
        
        PID:4488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        5⤵
        
        PID:2988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
        5⤵
        
        PID:6212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
        5⤵
        
        PID:6216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        5⤵
        
        PID:3944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
        5⤵
        
        PID:6404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
        5⤵
        
        PID:2060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
        5⤵
        
        PID:2488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
        5⤵
        
        PID:3108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14080556480138704103,14808828761321992881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10404 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8760 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7904 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9992 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8272 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11192 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14943860572840878746,15380545803842606265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x3fc
1⤵
PID:1100

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:6648
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5208
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:6616
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
03746b5d567927bdb69499ec30039d8c

SHA1
93b08624bd80ed01c370e0ba9a2ee3824edd8733

SHA256
1e3b7a0ac94de0e7209b19b709a0ddd2effbc1b98437a81b3d3dac853ef54b77

SHA512
abf608e020e732407524b780bed7b894768f9828dbbecb1a66c9b6d8cb079380646bc228dce5f1bdbef4b089b241574a22c79eee3271a623cd05e7754ad83e19

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.6MB

MD5
2c8986ce6c1c5fcba4146f642e95d862

SHA1
a913254e6a9bd1db7825f9880a992f21a6827bd7

SHA256
07285fcc8e65f164c8897ebdb63dc44801dae28782a6b2ee5f3469c64952efd6

SHA512
a5b074ad394b75f2597007ca732f5e1b877fae483122332dbcaecfea0c6c52a658df8b5844e60280766fcd38333dfac3a259c159c405a83ea6b78691405203d5

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
744f97229b32e80620d853346d83bb92

SHA1
6b30b09595a71bf09d0592fd807060c0f5826fdf

SHA256
680013a5168def4d0f617cd15e76fadb2d7a90b8115ec8f19bf2fc1c6ca679d0

SHA512
00fc9115124f41baf0429bf01a1149ae89f6209ac7ee0610c825bb3abd3b4a14dfb5217802958f9ddfceb22d3b6167d481d51949102504289785a81953abd5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
151KB

MD5
0f31134987b19699ee4cd0aeb9071eb8

SHA1
fb922e4f7acacaaf82d18ff67f3edbb91f6bc32d

SHA256
06e28481014b8fd1a14aca11b356d3001bad5d467161793b3a13440717313a89

SHA512
02f8aaf584055393c15c291f2dea85f7a9f334df3d468e2b3ead674f3e12c754396b4694dc12e8a6c5ab51f89e47df1319b6682d87eccfadc76676e954a4e1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
67KB

MD5
672459215c78c87c86cfe4af0efe598f

SHA1
cad4b454aa573f8c199cd63f3eb8b8f9c25f03c3

SHA256
d17075e32e425f00b58b4d38c3b733019d49990bca81e3a9fbe059460f30e6b8

SHA512
eb01a2d53bfb29e8925d9d96c02c245bda9a388c1a6f4415717711f9d0acc3942f9b6dd670b2f66ec5e23ba4a168a5ce1df47df204d690091817e61e86fa05ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
32KB

MD5
7cc9b78226acb93f406eb1e4e17d4d5a

SHA1
8edf2712deade134ce6bd42fc8ee70eb68891656

SHA256
45afa895ac254a15f8928733b5c07204aee680dfc3f0b3a1e87da9430dd99ef7

SHA512
4dbd56f013826532e5ce24410fce357abeecec07e4d525cea627e911e96842ff0fa3a8848f8695a6476aef4c343601451a69d53e0469eb388e753956f94723cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
24KB

MD5
075e8c9e66326fb7cb71e05cca1ffc88

SHA1
b02005a157813bafa5ebda1d9a9faba2880910a4

SHA256
0f2b3b5f35783130f456bbaa7e9e3e410351366ca644e732bcccf0f6461c15fc

SHA512
46cfca583198f1e13ec57ae35be3a5382bf011684070e80ad4f58da64495a109dcf79ec96aba918f861679255597feb8739ebaf65cee4bc7ddab34c339224ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
22KB

MD5
4e7e27d04c5e340b359b2a33e167f27e

SHA1
05af37e7945ebc559160fb191ab7ea0950c4ece9

SHA256
428c684d925d32cd7ec809c5a53d38f085b4a5d4e4f8f49b7ed2f7b1e8cb388b

SHA512
9df4f928843bbe0f90ffd63bd9ef0f1d1a7eb52c0881342dc0d89cf1b0e9cfa59e3f744c6bcfc06bc5ee86479319d3061b655b9e95cbaf9d899cb3ac80cf63d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
22KB

MD5
ced0a21f917f2506efa4835a717bf1e9

SHA1
7025d48866d37eadf9d47c5db0a3f9c1947111ea

SHA256
11de708f5f8f69146c154901c1dacbf42953352a77aad22e8bbf07c87a8fdcab

SHA512
06d72e1c56c9fddac1c82e9d6d24ba98360c7de7408c9f071ed26517076891138ed633c1293837b53b1fc29ea812f429fb8e7d460ec4904cb0b89e181d337f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
28KB

MD5
003e46f9a68110b0a1a528f64a82fe5c

SHA1
973ff5a434ee193480c2e005782f98c6a2b77641

SHA256
1a9aac05d353092b91ed961a507bec8cbc5620838cf1b8952763abdf08d4a4ca

SHA512
48f569774c4b76e79a45f435177cd04454d5d6e0e559df5625c4def5761409d06b6823cdd461098d27afd22324f68c712c714766d2621999f6a72f209eb69cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
16KB

MD5
726e20cd56a3162627dc18aee6994fd8

SHA1
a765ff825c6416764ce87ff1ea7f0f9968142595

SHA256
5b73d7e5bfdcb42aac0e8526b1a594dcbb83971e2fc0f31cd03aa3515d96487f

SHA512
8214cbf83fa316b6e1cf660a413e007eaf927b5b1346d005ceca620fad1c506bee83d6c2739d91bd6be507f5c2c4d420e8770a6d45467266c6e2149eb8605d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
26KB

MD5
a76d8cb5bda015255950991ff2140e4c

SHA1
ca672034ac071b55e1dc51bdee5419560af3d940

SHA256
70b5e4caf91f5dc19b378e168535b41061892ee1f7ecad10217e0af4c0caa823

SHA512
d7463c677c2ffb5c039984c8c822d4fa6ea7c05ee5a7edd997d7c6aa9629e38adde33dc8061b432949601177236696b1b7922078e481884ad928326e6ab82a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
31KB

MD5
468ac85a673597c0b0cc059cdc3b394c

SHA1
30eb8be280cf6e963a9a7216e23e3c21235a24f3

SHA256
efec91452b5d372205e48ee420c2e21f4a8ff6abb5970ade2fb418cd2f430669

SHA512
f882d5f02552fea137fb19a1e37e4b8919c7c4c9dff146e19f9bed5c3feca70930c5ef18ca3dd54f66a275d9bd912552300393e8111c163f76d9ae3cc297fead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
17KB

MD5
6db80c3809b1abbbfd69cee3ceb2d884

SHA1
10615287e77b3c846367224e7f254125955e64fd

SHA256
b942dea6613394574df465ef15df2c1315a349be18248f0193cc4ac38b5ac33e

SHA512
294075f5e3c8349a2420b6abdf100f8d8a21ddde39bda8096626cbd47cbf850ad24c67c2ac0d899f0fa797989e0e0fdd17abc5a518f7ec3a23c3340b0dde1e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
18KB

MD5
02f8cb5b21eb519ed656c5fc99a8e2ab

SHA1
e9c386c2e3c3f5e0ba43e2c0d22df33a51ffb57b

SHA256
bec2174a76558bf81c5ed11e2461393b33f84dbe578ebd3dc3f2becdd2166fa6

SHA512
dd567c88ebd21f7d40a626ef55980f2f2e8f431cd9a90f6344b6203a069e9356038cee1961512d80ca164b233e4c2072b047865055335ea18607746bb19c644e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000055

Filesize
27KB

MD5
81c35fc39bb6761304ff370ff15e7e31

SHA1
8f0d18a347003f3859edf9792d7926303e125a7a

SHA256
d5b160e8e708f955e2fba7daa8a4aa85ad8d4c3049b6b4e308a8869f83014795

SHA512
9bdfc308bf29d206db83d8adcf68779eba7f1d9aa93dae2e4c2f7b5c53532a0dd55456280c55671da262279054851eb2b52a365a36a9cacc680a8c68b797e020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
99KB

MD5
3ad1aabdc81a20c719c8826a93698d4d

SHA1
bec0f35829b01aa93ff7db02c977962b39539986

SHA256
9b0aaa628c79d953f0c2399804d2a4993a2fd718e9910d87e6c37ca089d8a0ad

SHA512
61bf66b7414922064d12c790b7df995d0cb71c42bea9148376f2abda5bf3269bd3b7a1769a9d9022cdb900a7a26569e88635338588948de754ad41d3323c2251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005c

Filesize
52KB

MD5
2ef7d531ca2271542e9c4f59aee6df71

SHA1
c4b77e33fe62ecd3ef423182263d237504c131bb

SHA256
f7ce1eed3b026eb23416702e94243a8f5b1a2abd7a7cc8283127b3c42a7b3c02

SHA512
606899992500af6e5d5e5dedb0d8eb424d45140f61cce9437b8d2946e3aae62febc3ef06f422cbfadc0bf2defcb37919158650992b1f7624de8a72dacbc892fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005d

Filesize
107KB

MD5
3bc74639df80331b8c63d954891c5cd9

SHA1
e12f29236f5d010d81acb7e5f7d2e46546fd1390

SHA256
52dd8e76a1960b4977ba6b681aa1de8713670b82e0c31bcba818b298393e43b0

SHA512
c353d8e8ac7c4fc1d3c63ecc49e2f6f76676c0b5f0763c27ed6bb9cfe371980d2deed239b9ec73174c3b4c8be9c33c20054268c87d8dac5e6b136c7d413eaeb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e

Filesize
32KB

MD5
b250fb3cf9c53ceb01860add21995274

SHA1
5e35f375a0af4175dec702045209383afa1ee6fc

SHA256
1ad2b7599c645f7f9632bbda2d4d1a441677619a070c720e81e9bb1ce9a7ec4b

SHA512
4f17544098f424435ae30a419fcdc5441c3c84d4594735751ab49a23fbc921d47753ebf7cb6fcb063e11ca7143159676e3332e217a69bf8f438e6979bb592632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005f

Filesize
144KB

MD5
34edc8ade13754fad54a58a10e4282ae

SHA1
7f24040253d6c111d01da6289b48bbc86631a805

SHA256
4a58173e96e8291bf7e746f933ddc80747f8569872b004f0f18d46248b0c0f3c

SHA512
c3dac538481e8bb8870024e38b35a839593d70ce600758112a17c93b728778e9f3cd9e52e3211909356c913156424e9731bdb37724a3a8e3349ba4c73815a6cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000060

Filesize
84KB

MD5
0ce4550d069deac99755b3307a9c1db1

SHA1
feb9f128c65d8d1168a0724aebaa4399cc177924

SHA256
d1db402a41f74a7fb185b6727e283caf9588e599d3a4d24d2c6415f646f8d379

SHA512
e1b7136dffd870fcd48fedce3b7be8ed27dd005ea58cc9ebfcff6d84d0ada65b2e0b60a3d34b8cca5294e0c4a680667c3cee3eed6291d581d84d07abb4ab3207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
28KB

MD5
1b8e5496aca8acfc597832f2aee42ec5

SHA1
9f8308fd46ec50e4de5419428107c5703ad36995

SHA256
7c3b99a73f295ce216cd7d8143af310fe64cd0a6d6f60caaa7c7c4c97442bdad

SHA512
f84492cf9efb9889e3578b0977d494367ca9bc9bddb0aaebdab5285850c59bbe918145abfa16a9725f4f47d5cd7c31dfefe98156e698a4a409288d5ae3e34621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064

Filesize
16KB

MD5
89a574ff00e6b0ec61d995d059ce6e65

SHA1
aea09e96808ab77165ffa712eaa58b8f056d0bb6

SHA256
e5c29c139842fd487473d0824f2c01b374680fb35d22fa929686d17896602a44

SHA512
30d0d40bd680e61968273155b740901cdfa66670fc2af6f23e44c6b998b67cc1fcd0b51bd5f9470f209f188e75d071355e592b2a7c97f4bfd15d07d455e0909d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000065

Filesize
16KB

MD5
cfa2ab4f9278c82c01d2320d480258fe

SHA1
ba1468b2006b74fe48be560d3e87f181e8d8ba77

SHA256
d64d90cc9fa9be071a5e067a068d8afda2819b6e9926560dd0f8c2aaabeca22e

SHA512
4016e27b20442a84ea9550501eded854f84c632eeced46b594bcd4fc388de8e6a3fbfe3c1c4dbd05f870a2379034893bfd6fd73ac39ef4a85cbf280ab8d44979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000067

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000069

Filesize
65KB

MD5
8a42ba5472aa4afa3d3ac12f31d47408

SHA1
2add574424ac47c1e83b0b7fae5d040c46ac38a7

SHA256
759bfec59bce5ddea7751b7f93408074a8c27cb2c387b08b6b9f4aa111266ec4

SHA512
3e1081a6e1c29f6dae28ab997c551a6d107d4f4b7e0981a19ba81a30a4e420dee1791321dca8f4b500c9e7e4a41c5e5c75013a72e5a5cde3f7e6c50393eb10b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000071

Filesize
21KB

MD5
ccc7d5d76a8b330d566eee83be82ad4d

SHA1
3245a1eea2c59bc546a81fa055b4bab8dc40b27a

SHA256
8d052174310db70b9a4d6f9a9a1ddf3ce6ba4f20f319acf5e74f809043e7a9cc

SHA512
78fa4e8e973bf102daf6489ff78118391259795432fb385f0ac1696857ef3bbdee497243ce27461c0973754d616563372831aafdcee0c7497e437fd0ac7efd0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000072

Filesize
20KB

MD5
fa4cc25f0f72ac052e9413b46705327a

SHA1
72127f17a73fdeaf1d867ff721f8115e90d82e8b

SHA256
62215bb3463a1bdbeab484739c056495d60f9e6feab8e3974cde6bf69504f05e

SHA512
b33ebe5aad7802e7aadf31bc490bb697a7a941c4ec9a03c211b42bf54403f05dba02fdbe42bd7c28a27e309c868f4d74c060840a4aefdff57ac9c5c2cb66921c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000078

Filesize
20KB

MD5
78b7e2bc0c3de7eac1c75d6a1eeb4c84

SHA1
b2fb8ccd4efb0195343f86b47d695b880ee204a4

SHA256
99af8df48b04e1f8036d2d85158afdc222d00bf53cd7245b0bc82583b3c83d5e

SHA512
26c78eb2b6b08205db7abe4c5a7c61a1aff33c0a49da9bdd600d299bb3e863dbba34fbc9a38f1cc879b3040d4f89c23a84046d830d5d928a97415c8bfc64d80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007b

Filesize
62KB

MD5
6b04ab52540bdc8a646d6e42255a6c4b

SHA1
4cdfc59b5b62dafa3b20d23a165716b5218aa646

SHA256
33353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d

SHA512
4f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007c

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000082

Filesize
20KB

MD5
0fd3b46fd7e5dd422bde5768a83ffdef

SHA1
00bbe47c66179502aba235f9f5c01a0cf2e76051

SHA256
4027d8ff4ab76b54c34765b96344808d7ec72c0d8e1c26060a8a300f2933a72e

SHA512
d63690a50479d19b959ec1e7ec27214a4a53bb2205b9008982ccc68bab93f1cacc7bf788d20476dd9e0d9b12299f66803f5377136da28470dd460c875dbcea2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000083

Filesize
35KB

MD5
7c702451150c376ff54a34249bceb819

SHA1
3ab4dc2f57c0fd141456c1cbe24f112adf3710e2

SHA256
77d21084014dcb10980c296e583371786b3886f5814d8357127f36f8c6045583

SHA512
9f1a79e93775dc5bd4aa9749387d5fa8ef55037ccda425039fe68a5634bb682656a9ed4b6940e15226f370e0111878ecd6ec357d55c4720f97a97e58ece78d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008d

Filesize
80KB

MD5
793e258449ff1a840cffd2e6d93d56c1

SHA1
eaff63d9f3c7ae5c094be190d95de9e33bb6b3d4

SHA256
ad26be2c1dc6cb5b2ec10d22d9ed7adbe1fdf643a1203521af85f56709963029

SHA512
295c1c863060516e6feb103431a44c7580e7d298109331754147893a2bf2f16b2e3ae1b0f99835c3e3edefb390fab46e38d42337edd756c9596000e8ab25f004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008e

Filesize
25KB

MD5
777a63c7bb73394365962e8e0fd2dc01

SHA1
2ca4ef52bd745378018eb30180ffa208a76b5c04

SHA256
10a7f1cc102eed344c455765969891f8c4ef071626036419fba5f17fa42810df

SHA512
986adc9a20bad40f8cace5dd9af3c3ac58e2fddfb30363ef61ef51d2493e603e28241da0144833eb62cae3c2d3fd2a38ba0a4822f01eb890cf58c7d7febdb8fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
35603df5b67a1314189e6fa10b27ed1c

SHA1
1dcfe166b0b031006ef2a05f66a7d8ae2a4ddabd

SHA256
e12ccc9d36d72225e188436e91340fc571cf3f83555e3489b67fab8338e828f5

SHA512
681f4ce12681860c28d9861c802cc992f86701629ce2ba4b21f94296c0b96112ba8483b51c2935ec28df276f211756529c55750daed9c6ffe50985a7d0b0457b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
46c28c77e0662324bf7a40223b480588

SHA1
7384e431dc7ebe61a0bb158146487c9ae7cf939c

SHA256
f7d7928253ed26dd262fe9344ba97afd1ec917c0d1327ec0b02565ee5b27ddd0

SHA512
816bb56f303e7557dc899ca94d2126c2cb50a2ee3471d91f7c9fd159c9f31bf067b4950392d676726e8e86203573df9792fbd38d50cf100d1aca8e84ef6eab7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
d9d036cdad5f3f6abd5f05a4475f967a

SHA1
a9a842f2fdfdc3268eac92bd06a39d4bb71ee4ed

SHA256
3571145fcf21791b5511e8dcb59c6fe5f4c01797daf69f828b166e33ed94fd02

SHA512
62d25187b224c9f2180f5376c73e795bbdb9544079125a9aac5e8bc459a96ce6a9712fc27a3c96a8120b482997ec5fc602b0c8af8c748b6f6b65f459c5f103f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
a6a60cee600c7f7ef525ad0e9a584b28

SHA1
075f4cf68d0fb763e29cdb426778096bda5bfa58

SHA256
d1029278c25a9022ca85a5f1c1f3a7d5dcae063697dac3c96947113993d6df00

SHA512
8ca3adcf21a7eea516b74e52d8bc1286d7682fe59d23c847116c2e44e1a80270d999f99c92d8224bb883c1af4eef8bf74c5b19d3aa3bfbe307d45db6417b2bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
7ac8921d9ac7a4168956a84c9bdfc46a

SHA1
8c60d4a4d1182955a86cdb307a9e73b00321179c

SHA256
5d536013428eaaf091c0b0d6f9cb9dc9fd4770c5f141e7b06b9f9d5ede580141

SHA512
06783738cbaeaa88e03d26f752f1ad56781b45ce80fb6aa54f07c398ec6b1d0d1cfe25c7afb037420dde5f8fa739fc870258189f199a40d4d217ea98e33c2da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
60a52adbed25f0e3402b9f5f219aa42e

SHA1
d3b6be98b9476a0db582b1c9071cd3b3f55de9e4

SHA256
07a95b7015fb7ea935f8ce9ed1ff808ab63d17898cfb96c371b604df81f7f5c3

SHA512
6cf410d79306f04e8fb3d42904ef1d093ba260570edcb5e1314c618da913184c6a12b4bb6b7b4c32b0fdfb9379d82236b2955f64dcece374aff179e935feb2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_en.softonic.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
23KB

MD5
6d3a72f014a3f8d0a32799faaf3fee0b

SHA1
89dcca2bd2a19abeb8299db6cefc18a34b0e320c

SHA256
c38eec0f2c2bb9e16822d68899ef35356d76c786d3b8fe3adf43cc4edab0d25b

SHA512
bce78744a4d85ca9c2e6d9efeecb009da6fb55ac0cd585d0499c2aee9b2d9e922aca74d75402ae7001b13c23b25aee68e6c1e768b2b12cfbd632b886a25c5549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
18KB

MD5
2e19d171f0f4ce5c95fd1d06eed392a3

SHA1
44ac162b43a70571cf63c56dcc6e54bd121aeebf

SHA256
b04769e7fd1ae13246c462d3da92544416006960625eaa505b31cb01d8a729b1

SHA512
ed436f2d234d520289470367a11d86d0dfc48bfc52b9304a207984787a093a30b1e6fdc5fc3c176c85545b7d9edb97452e7b2415477bb700cba043d00d176086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
26KB

MD5
119f59f3a7895eb5f7ea91f08a3ca7bf

SHA1
8b0288d0dc50f48220a68a55a11bc9d97d4477c3

SHA256
24e931c32f698713c46f8cda8194534000bd616f76cfb38a059382558e2301d0

SHA512
fb70146736e222cd22390db140cf6836179cb06a5c9cfa97819a8121f9df2c351b0e505485d760191b206d1d26e85166d25722ceef23a232798b20b5d72b1d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
21KB

MD5
353441c0ccd2b5ca304751cdb837bdb0

SHA1
6aac25f8d201263774dfb395e2de21191331e4e4

SHA256
b80c2fe6e0abd610459c0ac94d8f2cd22534d9f3a9fecccafda486b61fae4b2c

SHA512
8ae751b67363c9949583524fdce1235adb757c1927203ad94255543ab0c1a922dd6d4050c0de11291bbcae4934c2fbdf30019429b3101bdcae97e308da9fbff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
505efdbad1b29e3d116ebc75260fc9ed

SHA1
42da7aca33328ce6eedad1e92a68a9622e043d3d

SHA256
a7f8e273d595e80fa709990a66412163f5a10eae09b16f141febe685e61c2296

SHA512
dfa148a053199184a5806b1aed58841e40002dcbb7c36827a0bcf6f795e373ee30d36fabb26858346d794babb52b947876f78f8c5f420b5140f4a61b313ed960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c2b89a492fdffb368a9d00e414cbbf3

SHA1
c8a8106358d7bd7278261782524730c1e8c0e742

SHA256
f1fcef056474a66f412c6e1675a7cdeb6b0d459afac6936f31d8a2e66137d5b9

SHA512
865c2412591688ec8fb3ce3b3cb9d4f81a40edf6d886f996571bdde3db06a15e8d4a13130da66aee281b928b2384a56d375fd83c729c958e8aefcc01b8a83b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8d1be0b35c9acfe884b426a9864b62f6

SHA1
0ef63b30c7a072271a9cd754a9750bf1c19decb5

SHA256
ecff938fd954a65137601d71b1e7d45c670b794d91661b79a0deb2a04899c85f

SHA512
c6ed86cefb334c49189d4cf4e0841a4371a903ec7b2566bd0d9577c0e036550f2e998810b166ee971245546f241c1c66522ce348701c8541eef9a21ed3f63953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3861655cd672c74b678b9d65210cb82c

SHA1
9ace84d925bb7e4e326dddecd28c7bcb9aad17cf

SHA256
4a45dade51394a0e3423365e0b1932291c7cc75ebad3b818b4edb7ff6b118679

SHA512
20acb06cbf8827db6a27fb95dc7c49bbe623fb12b0811407c59fa4e1aa647b7fe575c6608d21ed69ea90090f12ce5ff21bbeef5732e86cd5a9357ac4f121c870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
a2bea757f1aec53a15858c4ffa366974

SHA1
8453cd89234d523eae9ba635804d4005220c7ccf

SHA256
d15c561d3abe0f18c28421b66788270416de6514da148706ed32514f1f8bad5b

SHA512
e6a8c340212ec5fec4a912acfcb36d6a0159d230fa144ca7d1eeb2b72e239696d0a7ba7cca9cd668a9acea908dd00e2c568335bedbb7ea96122a24374abeb1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
01007d9e851011f863e5df72a2c4b84b

SHA1
869ce5dccac1bf25f38fe9f0391f31442be1e059

SHA256
2dd5fb961e9a6c1b7c2cdd710be0e683687fc161a952812ac570232ef97069aa

SHA512
0584c89a243759f6b04347b238e543c62510540a2fda4284a796cbde499234979c56d829d8ead1d150a5bd178d8f55882049e98496cbd0d958e800f8bfcb30e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
f50949c80bd97bbd6098034a2cfaf6ba

SHA1
4aa79b8106de3c137ce7b9197551f55a16d6f151

SHA256
3a092e7cc3328cc0e2c7d85c53d3feeb23b1c82552ab66c1aeb84ce239c2e79b

SHA512
bd86ef8ea309f77bca35483c6951c3069192655dc94c889d0c56c6aad64b0bc191015af323f4ad8b79026d941376738ca8fbc45603c86a391851cd125e442f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
bf9d329d4e6403671c3fcd34d84e79f6

SHA1
73cb95540966edd5d92b13b7c0c16de90e8fe613

SHA256
80f2de4b53500de99efd84a402ac63154f3b80073a68bb668cdb5409ac3b4f1a

SHA512
12cfdf17e0903c77f1d9abc90a4661cb8e492d0ffef85a1f1539a92373b179bdb95958654a4c05277a6af101e27887a016426facdb75f487f9eed74b115f8932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
55223fc40d218b944479ed2003389172

SHA1
d5707c488e5e814858cc1e4a290d6ad961dbcc0a

SHA256
0a651528a6b75b52a07f6fcd91037f488a381e2df23659d3b54d9e55914f9118

SHA512
9ba980d77e00d15b2f042fc38af25a46e127823612e3ccaac2a646b6795990b0dfe850d9269d92d95b8a913f6eb8ca2dc0a2e323f2d1ba5123dc1608b77c906d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
18d723f20ceff1cf3e2d707d0ba46939

SHA1
6258b9353e5f99e9e019ea8316ee764b59d101d7

SHA256
80da3c5c41c521ccbc83c8fbc2945979653e90e7e375a2d36393ccc98d5b1341

SHA512
9af874287a45df338e42da0037360dc3cf2d444b692c637b52e37ce5671a51b71f1f95ba12e0fb20acad4544288e2e0922b4ea08cf7201918cd944610d1e3c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
80b23ab166cf8bfa6096d7b9b10b0e29

SHA1
f4e6919ba995f6e83a36cfa49cd6984494b259f4

SHA256
bbd03c42948b830af05d2d5d88cae4129168505a328d2528fbb86db239a0950b

SHA512
899603b751a57a1f91fc6b8f21893dd3ff3a3f9b06c13ad61c9189f4b394ef01fdb1764244c338d9ae9624f79a565de901b173efcb6c2f1da36eef536ab48f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f336349cc1773fc961012141ef80f1bc

SHA1
ffeababe696960d1ee8bc4813129b0f24cabfd4b

SHA256
69f99dc05a481cc83b0efcf178cef8bd58d7878994377ce4b979a3919f243712

SHA512
95cc41919ccaa4162e83a36324682b3b33afdc6df37ebab081aed38ffda67b6e2ac8e65887563c900be277a5b3002dff2ad43b565a18d4fee06fcfcd417825d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d1c01e319826d0746d7b60f7fd40cff9

SHA1
e44ba54db90837258114b2760c36bd3a51c02264

SHA256
47c502dd1b1f67c79d1ce7306dd63b203f1a4e4836da18321294aedc18a2e8b1

SHA512
9b52ff1e6f7487c114e7b9a69826aa3c13ed8d4095e2b7c1b1dee556f4fa1232e320ac41c5a51c5b68505c54921314f2cdd4283285b24968432c3d24a1eaafa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a5c7b68877aded08455c50acf9015804

SHA1
ea757d3826762531f2692e229e981d69b76cb688

SHA256
4c0063de376abc79edaa0b9ae9c14e70f1c15e2e00d53e8427a5c0440cf2a01d

SHA512
6cdd57955fc7a675d8021dca46ba668fccbaae8328cdf7f2a6e3368017c961f31a4ae15a15871716a605c703a8ba7d89887d647e96c7fb0e6e38ef41f6f09b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58deb3.TMP

Filesize
48B

MD5
70ac90bc95be3c701f5ac4d439ab61c5

SHA1
07a84d613cb23a615b610d96e5d5e35fc0c352ec

SHA256
df9ca232ef6b37b70449781adeedb16b8131dc15fc04ffb1ff5b59c64e0c8eba

SHA512
e9a38bd7bbcbe5e30db6377bf5973dda980ecbb750514d77e0f63528de04e7c20125e51f8392d6cdc711ae7ff23f433eddc9396fdd0c7227c9cabe0a6bf33a94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ad84af051937b15d3df1488d2fb7212a

SHA1
0f131df8115a937d0aeb42e14b6a3ba221a961b1

SHA256
757a64dd4cf70d18a9d8bbcb1964b4a94afa87a3da3812be93844f9347a46f36

SHA512
ede1114ea0b6c57aa45f20deee63bc6c9a371693df1f3e7383bcf88c839f8f0b103a0a20510fac112f78e9aac801e1b78f665040b2dffd493b020912be142ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ef4dea133a3b85ae18e74d16db7de1b0

SHA1
00dcf08f4b509102fb6615028a6d2f817fabaed0

SHA256
5340dcb4e2a40f3f91655327af5e0369280282d474a1dc9934fa26edcfdce754

SHA512
ecc08bb660fabed81c48df52b8c83389c6b315065b3b006908f9c4a2fa7fc4d86d882f23d16739f1df5ca0603f6a7f14f43aabd3c0936aa63d5ba80b7a7884d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e7b64999359ad7d19feb0109b5f9f304

SHA1
680de6dafb3cb0b3a9cebfc594c1d0b0f47201d8

SHA256
e4206727435ac2bd679fbe03fc976cd5e7f665c6e0d16ba1c01911f609fa85aa

SHA512
624129630d7b68ef2a620b44936cc9493d34866add5615d1529148fd218b037570219ab0f1348bf3413a96c537be449ac2c8b1b01ce4439da878b0b22238a02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
721496f26cd88ba59539c062a7e4c0e5

SHA1
639b5dfe1eded37a2c986dbb1fcf3efc301b523c

SHA256
020aa42e90a90244bdc1fc0d146c59fd36dc3f595425ed23b5b79b538a9d01d7

SHA512
772cf346a74cce0f45cd999d3b3bf9319f212dde4d5ea434b60ec525585b6b7373a2473d63b6f274ae915c22cc8be1448bdf8975ba5aefc2b8bcbaa8c6e753a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
fdd68924fffbafcb9c05a1dffdb98542

SHA1
53fdf930226922cf070480134089234882937701

SHA256
73a5157e3be97dabf02c2db84865d88f2ad1cd5447d652fc2771de337429c85e

SHA512
5084b5cf1ed52ede81c908303c4eb23cec97ba5add9f6ce53f548dc14a282847535bc7197cba81009701a7c3d8d0f60c7ebb9605885bc76d713293d2537a3c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
40f0c5cfe33ac7f97496f46d9a4e8fb2

SHA1
ea7148583d4b473da4e0189ca94d006936bf1cc7

SHA256
5a899410839ce620d43215e9cabe901e8cd3d31e60a43abd596aa38b4fc59c15

SHA512
198ca2f47307be96006c4cd73231930f2b19d8aa079d4fef20c5f42e9f5f94edaf6179e301d2ccc07d0245fb39472fcef01a9fdb408bc286539dbb323fc87178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
bedf35aa0f7cda6780e91f2c74f1735c

SHA1
7ff916fb9db8a386b92c2987fa92e4624976db3b

SHA256
575847edc8ed3d5b65001d52efcb13b5a954e1e992afdaebd89957ac1fd86f58

SHA512
33a854bd877e12ae622ca470918d13a40d896c751e2285b1ca422cd9c7e53aababc75ab217ba1bb3c3ee1d264b5b28c34b47599d5e4051f8978bd95bca39f2dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
7296052b76014fcac5433afb791008d7

SHA1
86f58d01c08f84c9074ee77c408e6fcc6a172362

SHA256
bb39cb3b0fb1e786145a0e04fbf923b0d8293358cfb286d2c03941a6951bf5ae

SHA512
34e5e62cbe73be8ce6d30b9e51459d9f4772702c93930b97e9e2017d0feb4e7dfb9432c50694bb11fa9a176773e522c99515181493bbacb9a7d293f7e90a355f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
68d1ca3fe9e83855143ca08a23bbd1f6

SHA1
58b1146ab8f1254e61e857d97d2c6c8eeb56a5c9

SHA256
907f8f382fe688cf6af4857aae41813bb71cdbb4413f5caeae39357ef1ed9414

SHA512
cfb43ee8cc2c734208b5f3cd7275233a25cc3be76eb2a6f9ffedd44c312fde283c89519089a421f44f12c7e10df29412a25d43cd23218daaa07b354715ed36ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
1bf794613c8d3e4047c338fe9d9fb479

SHA1
88fefa7d64ccbf5fb1d19f9105879783cb71d77d

SHA256
c27d82a321fa3b73ad71246e4c949a3b162efa1ba55182bcfad100224f109d23

SHA512
ca6c3725ca189eff8821658f492424f76b78b9c47b4efbaf6c72db05e797f4a09c1ee964fc718e75dbcf8a95866ddbd939813c0d616a77722774fc59541065b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ecc6813a322720e4e47d40375391ad7a

SHA1
5a121cba349ca43ad94461688d475772f241c737

SHA256
16364cc4ee2a2d0945ed5830690fefec1c070d7e379c8840f87352fb4ef93391

SHA512
5f4d8e71fa7a071561a39a4a8e42b5feb24956abe74f60f7cddb3670d59ddeca8a127e02cbe1c3932bafc209195c9b2f590d32146dafbaae7cb9f07720795b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
8d4f5f684d148288238497bf591e7cdd

SHA1
8a63a4d48dca35c4ded1bded224f6ac957624e38

SHA256
e044f72bfa5730519df6693b1a1ab30109d08e8d46ed8eee5f6ce551e28de2bb

SHA512
68b70078e148ee350f8f659380bfee668c022fb70c351e2c6b52ecc80fa26e45ca5f07ec4f4fb5c311b4cb9be6c3568e848c7e6efb18cf018f91003902c430f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
5c2cb035c7ebbf79278841cf518ea5fa

SHA1
3057d475b3664a93782535b51861d5a85c2eaf97

SHA256
c6fb405bd4fe4ca5ba416a5c6da4dacdb6e26d2b7e4fb9e7ad0ba71b259a4418

SHA512
d6f2cc9468887220be8a51ac627134b88574d853f76e97a0a59ad0382b9d396682fdefdd0132fd5061d3ca35a41175414dff7ba710e9e8bbc61ed2e88e42f2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b06f.TMP

Filesize
538B

MD5
ad5dc03b3b0c74e63cf8c8b051b027ff

SHA1
e53cc962c2124a385435ddeabb0fa64e60bc2527

SHA256
6558274495175d01f2441b8110753a9d0dc56ee87e5ffcc65993caa6090a8bef

SHA512
d7df88ba9a316fe9bfb42fbe84344dd7f3e680021917c938a5c53ad38f03ddf539b5edd95cfeb9065cb3bfeaa6d1210c8267b647e19f77fffd9a9e2fdd67c1e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5940b5f22a1e58a82d56efb821a2aabf

SHA1
48c4a94cd00857e08533345eb1b64f16f2832a9b

SHA256
f5d6630cbe9052e3852cdf91b31bcdfbb940b2ae40ac65124c16f0c77bf9009c

SHA512
44a2a2cbf3a4c28341e7a03dc9d00911970045e3f9e6cee2fea5d328c2b0394b1abc60963bde62669d01721290f904354e246742a869d4f953e15f808ba2d0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
74d3ab2ac2f6978fdddfc478b1f13ace

SHA1
a205cb73b04eddadd9daf034cf87895432daa7cd

SHA256
51982ecf4a1547c6d7f2fd5fad7aa4bb7ca6f9be5ec536a721c5de6354fc2c2a

SHA512
9c0801f9f968cb70e376985118b2393ca2b2cc19fe801d8200676b43490ab6248333a12c9b460b044aab83290642ae7f5e2110971470690be7082a43925f737a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b2572bc8344f3cd5dfefc78bb92eb75f

SHA1
dae39fe151c9a1f348d352db6b4c145d6c3deb48

SHA256
2180b28f307db7f1088ba01dba1ec39c93d711137b649969a5080a0da58b1ab9

SHA512
55f916caae426276baf5e7b96c86fd93f467307f70d578adf178011f61a393fde3eaaba2caafd8f06b0fe645226f301998b8aed959f07ed879d53e51d9c7fed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
93def15cbdcc4bf1bce0f69af175b917

SHA1
5dc44bce4d4c62a690eb95897eb7f53902c79b94

SHA256
5ecd01aefa90cc53961d2e562ba6e768f4c54750f1a1f92bdfde7323efada716

SHA512
629296005bdee72d59fe045290b487426b1bdf371717c67b7014264ebd475b947e00d25f77aedf7fde9b40b55f98955118ae68dca4085b1aaab7e8cb21430b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd1067f604f62997446fb80b19fd3e5c

SHA1
b449f60db2966771b767e36cdf43ed62e55e5d38

SHA256
db8880270b10cdbaac78d31893145ebd0c7541d6a43145f50230c8ccebf0bb7a

SHA512
0537511e8fa8a1d18f2c6f9f5c67a23d1b1889f3ef84f71e4f8a020ecf039a7aee225df0ddfc36d263d4439de78378dde5e2066063a1e19f485eba2f86e451e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b3370de880a2b1b9ac71047159d9b43b

SHA1
6ed291061f5ab4713da7492f7e15ff5f342595a4

SHA256
b3ee49c8a158ce4ef2065c65d61dcd1df9b4addfe75ffa47320e17613f116fa1

SHA512
25a926bc07f41a8f3557a183ac748e309f7d20ed33fd76ef98b99e867eea31187c92b56b7d6883b4a0666d5c3a44ecc9ff676b4c7289f592b92a874cdf0a7da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0fr1s0ua.wa4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
130KB

MD5
b33f2e65677a256b37e75340c167f54b

SHA1
735c404466aea6a70e653a6706cdd0b4d65c0aae

SHA256
77e81f19ef02e620898b53a308d502042b9ae732d9741b99062a1baaa164dcd7

SHA512
cf1bfefef47d5cee5932fc9cccf323f87640912225cb5b0f93442929fc96f32edccad48fd8c95def9be64fa62c750add4b53448e3e4a2e854f8940be7aaefc8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 175071.crdownload

Filesize
2.5MB

MD5
4b3458b9c6aaa39ef37fc290459b6908

SHA1
ba8b683eca181784d049efd008f50aacf5cf4079

SHA256
9bb59ea13d91b11739e9eb8e39ab243d80935310838b0f60b450ac2a906aabee

SHA512
0f3977bb0b137ad65465a38be1d97acbd50e1f57078c7bed957fd0c210d1bd5f4895b9afac8af4c202a3f905f021cc7042210fe030ff5de6e6cb7c4f90591dec

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.2MB

MD5
4cb300be1af3ab9ab421b0794cdaeca3

SHA1
8d0f501e26aa91ade3f62fd601c0d60126e22d6c

SHA256
f85bdf7d37f319f4d40b653dc5904590551120cd3a21eadd5dfd5dd7a2f47123

SHA512
14bedd282529c2b22690379e62f2c39c53a1bc11c73312177d2fb413440776a1ea4910096da3eba96b60a968c4d8613cc89f17110143bf72f6248fcae9b3e3fe

Download Submit
\??\pipe\LOCAL\crashpad_2012_GOOCOWZTWGPIDZHB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3944-2567-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/3944-2577-0x000000006F130000-0x000000006F17C000-memory.dmp

Filesize
304KB

Download
memory/6496-2598-0x000000006F130000-0x000000006F17C000-memory.dmp

Filesize
304KB

Download
memory/6496-2588-0x0000000005D60000-0x00000000060B4000-memory.dmp

Filesize
3.3MB

Download
memory/6712-2560-0x0000000007610000-0x000000000761A000-memory.dmp

Filesize
40KB

Download
memory/6712-2559-0x00000000075A0000-0x00000000075BA000-memory.dmp

Filesize
104KB

Download
memory/6712-2532-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/6712-2530-0x0000000005B00000-0x0000000005B22000-memory.dmp

Filesize
136KB

Download
memory/6712-2529-0x0000000005360000-0x0000000005988000-memory.dmp

Filesize
6.2MB

Download
memory/6712-2528-0x0000000004CF0000-0x0000000004D26000-memory.dmp

Filesize
216KB

Download
memory/6712-2564-0x00000000078C0000-0x00000000078DA000-memory.dmp

Filesize
104KB

Download
memory/6712-2563-0x00000000077E0000-0x00000000077EE000-memory.dmp

Filesize
56KB

Download
memory/6712-2562-0x00000000077A0000-0x00000000077B1000-memory.dmp

Filesize
68KB

Download
memory/6712-2561-0x0000000007820000-0x00000000078B6000-memory.dmp

Filesize
600KB

Download
memory/6712-2531-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/6712-2542-0x0000000005DF0000-0x0000000006144000-memory.dmp

Filesize
3.3MB

Download
memory/6712-2543-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/6712-2544-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/6712-2546-0x000000006F130000-0x000000006F17C000-memory.dmp

Filesize
304KB

Download
memory/6712-2556-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/6712-2545-0x0000000007270000-0x00000000072A2000-memory.dmp

Filesize
200KB

Download
memory/6712-2557-0x00000000074B0000-0x0000000007553000-memory.dmp

Filesize
652KB

Download
memory/6712-2558-0x0000000007BE0000-0x000000000825A000-memory.dmp

Filesize
6.5MB

Download
memory/7128-3243-0x0000000070E20000-0x000000007281B000-memory.dmp

Filesize
26.0MB

Download
memory/7128-3242-0x0000000070870000-0x0000000070E16000-memory.dmp

Filesize
5.6MB

Download
memory/7128-3239-0x00000000707F0000-0x000000007086E000-memory.dmp

Filesize
504KB

Download
memory/7128-3240-0x0000000070770000-0x00000000707EA000-memory.dmp

Filesize
488KB

Download
memory/7128-2772-0x0000000037340000-0x0000000037350000-memory.dmp

Filesize
64KB

Download
memory/7128-3241-0x0000000070710000-0x0000000070769000-memory.dmp

Filesize
356KB

Download
memory/7128-2747-0x0000000000F20000-0x0000000000F36000-memory.dmp

Filesize
88KB

Download