hxxps://www[.]ldplayer[.]net/games/download/roblox-on-pc[.]html

Analysis

max time kernel
412s
max time network
411s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.ldplayer.net/games/download/roblox-on-pc.html

Score

8^/10

defense_evasion discovery execution exploit persistence phishing privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\FuncName = "WVTAsn1SpcSpOpusInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLVERIFYINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETSIGNEDDATAMSG\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "WVTAsn1SpcSigInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4064 takeown.exe
3064 icacls.exe
3540 takeown.exe
5500 icacls.exe
1388 takeown.exe
752 icacls.exe
A potential corporate email address has been identified in the URL: currency-file@1
phishing
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

pid	process
4064	takeown.exe
3064	icacls.exe
3540	takeown.exe
5500	icacls.exe
1388	takeown.exe
752	icacls.exe

Executes dropped EXE 17 IoCs

Processes:

LDPlayer9_ens_com.roblox.client_3040_ld.exeLDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeJJSploit.exe

pid	process
1532	LDPlayer9_ens_com.roblox.client_3040_ld.exe
5732	LDPlayer.exe
6024	dnrepairer.exe
3528	dismhost.exe
4816	Ld9BoxSVC.exe
1056	driverconfig.exe
3020	dnplayer.exe
1324	Ld9BoxSVC.exe
324	vbox-img.exe
1416	vbox-img.exe
5764	vbox-img.exe
1176	Ld9BoxHeadless.exe
1780	Ld9BoxHeadless.exe
3708	Ld9BoxHeadless.exe
5960	Ld9BoxHeadless.exe
2224	Ld9BoxHeadless.exe
1644	JJSploit.exe

Loads dropped DLL 64 IoCs

Processes:

dnrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
6024	dnrepairer.exe
6024	dnrepairer.exe
6024	dnrepairer.exe
6024	dnrepairer.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
3528	dismhost.exe
4816	Ld9BoxSVC.exe
4816	Ld9BoxSVC.exe
4816	Ld9BoxSVC.exe
4816	Ld9BoxSVC.exe
4816	Ld9BoxSVC.exe
4816	Ld9BoxSVC.exe
4816	Ld9BoxSVC.exe
4816	Ld9BoxSVC.exe
4628	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe
4628	regsvr32.exe
3840	regsvr32.exe
3840	regsvr32.exe
3840	regsvr32.exe
3840	regsvr32.exe
3840	regsvr32.exe
3840	regsvr32.exe
3840	regsvr32.exe
3840	regsvr32.exe
3840	regsvr32.exe
4948	regsvr32.exe
4948	regsvr32.exe
4948	regsvr32.exe
4948	regsvr32.exe
4948	regsvr32.exe
4948	regsvr32.exe
4948	regsvr32.exe
4948	regsvr32.exe
2308	regsvr32.exe
2308	regsvr32.exe
2308	regsvr32.exe
2308	regsvr32.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

752 icacls.exe
4064 takeown.exe
3064 icacls.exe
3540 takeown.exe
5500 icacls.exe
1388 takeown.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
752	icacls.exe
4064	takeown.exe
3064	icacls.exe
3540	takeown.exe
5500	icacls.exe
1388	takeown.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exeLDPlayer9_ens_com.roblox.client_3040_ld.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	LDPlayer9_ens_com.roblox.client_3040_ld.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

91 discord.com
269 discord.com
487 raw.githubusercontent.com
488 raw.githubusercontent.com
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

flow	ioc
91	discord.com
269	discord.com
487	raw.githubusercontent.com
488	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

Processes:

dnrepairer.exemsiexec.exe

description	ioc	process
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils2.dll	dnrepairer.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\dab.lua	msiexec.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-utility-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAuthSimple.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Core.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\fly.lua	msiexec.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ucrtbase.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcrypto-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-interlocked-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestPropSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\JJSploit\resources\luascripts\animations\jumpland.lua	msiexec.exe
File created	C:\Program Files\JJSploit\resources\luascripts\general\tptool.lua	msiexec.exe
File created	C:\Program Files\ldplayer9box\platforms\qminimal.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\platforms\qwindows.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRT.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\comregister.cmd	dnrepairer.exe
File created	C:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.lua	msiexec.exe
File created	C:\Program Files\ldplayer9box\tstVBoxDbg.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxTestOGL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\capi.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libOpenglRender.dll	dnrepairer.exe
File created	C:\Program Files\JJSploit\Uninstall JJSploit.lnk	msiexec.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI64.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\dpinst_86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSupLib.dll	dnrepairer.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exedism.exedismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI6881.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF35B909F6FFE74DB8.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5647761B6A6C6F0D.TMP	msiexec.exe
File created	C:\Windows\Installer\{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}\ProductIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7B4608F19D105678.TMP	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\Installer\e5d67e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5d67e4.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C62B7338-B484-48A1-AEB6-9AF4EF5E384B}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF73EFDD7A83DAD252.TMP	msiexec.exe
File created	C:\Windows\Installer\e5d67e6.msi	msiexec.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1404 sc.exe
3904 sc.exe
5424 sc.exe
3004 sc.exe
5580 sc.exe
5144 sc.exe
5088 sc.exe
536 sc.exe
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\LDPlayer9_ens_com.roblox.client_3040_ld.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1404	sc.exe
3904	sc.exe
5424	sc.exe
3004	sc.exe
5580	sc.exe
5144	sc.exe
5088	sc.exe
536	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RdrCEF.exesc.exeregsvr32.exetakeown.exeicacls.exeregsvr32.exesc.exesc.exeRdrCEF.exeregsvr32.exeRdrCEF.exeregsvr32.exenet.exenet1.exeicacls.exeregsvr32.exepowershell.exednplayer.exeRdrCEF.exeLDPlayer9_ens_com.roblox.client_3040_ld.exeRdrCEF.exedism.exepowershell.exedriverconfig.exeAcroRd32.exeMsiExec.exeregsvr32.exeregsvr32.exepowershell.exesc.exednrepairer.exeregsvr32.exesc.exesc.exeicacls.exeRdrCEF.exeLDPlayer.exetakeown.exesc.exesc.exetakeown.exeregsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_com.roblox.client_3040_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000235a573f571b962e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000235a573f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900235a573f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d235a573f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000235a573f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dnplayer.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

dnplayer.exeAcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeLd9BoxSVC.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\ProgId\ = "VirtualBox.VirtualBox.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-486E-472F-481B-969746AF2480}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6038-422C-B45E-6D4A0503D9F1}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D612-47D3-89D4-DB3992533948}\ = "IHostPCIDevicePlugEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7966-481D-AB0B-D0ED73E28135}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C380-4510-BC7C-19314A7352F1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7966-481D-AB0B-D0ED73E28135}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\NumMethods\ = "14"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42DA-C94B-8AEC-21968E08355D}\ = "IDnDSource"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\NumMethods\ = "25"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-a1a9-4ac2-8e80-c049af69dac8}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-800A-40F8-87A6-170D02249A55}\NumMethods\ = "21"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ = "IGuestProcessStateChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-F4C4-4020-A185-0D2881BCFA8B}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E78-11E9-B25E-7768F80C0E07}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C380-4510-BC7C-19314A7352F1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\NumMethods\ = "38"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-EE61-462F-AED3-0DFF6CBF9904}\ = "IGuestSessionStateChangedEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\NumMethods\ = "32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0D96-40ED-AE46-A564D484325E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ = "IGuestFileIOEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7193-426C-A41F-522E8F537FA0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}\ = "ISerialPortChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}\ = "IEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}\ = "IToken"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BE30-49C0-B315-E9749E1BDED1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-3188-4C8C-8756-1395E8CB691C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4289-EF4E-8E6A-E5B07816B631}\NumMethods\ = "37"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-70A2-487E-895E-D3FC9679F7B3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42DA-C94B-8AEC-21968E08355D}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\NumMethods\ = "17"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7f29-4aae-a627-5a282c83092c}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\ = "IShowWindowEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5F86-4D65-AD1B-87CA284FB1C8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}	regsvr32.exe

NTFS ADS 5 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\LDPlayer9_ens_com.roblox.client_3040_ld.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Zorara.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 784002.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\JJSploit_8.10.14_x64_en-US.msi:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 139857.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeLDPlayer9_ens_com.roblox.client_3040_ld.exeLDPlayer.exednrepairer.exemsedge.exepowershell.exepowershell.exemsedge.exepowershell.exemsedge.exemsedge.exemsiexec.exemsedgewebview2.exe

pid	process
2920	msedge.exe
2920	msedge.exe
2720	msedge.exe
2720	msedge.exe
4196	identity_helper.exe
4196	identity_helper.exe
1168	msedge.exe
1168	msedge.exe
1248	msedge.exe
1248	msedge.exe
1532	LDPlayer9_ens_com.roblox.client_3040_ld.exe
1532	LDPlayer9_ens_com.roblox.client_3040_ld.exe
1532	LDPlayer9_ens_com.roblox.client_3040_ld.exe
1532	LDPlayer9_ens_com.roblox.client_3040_ld.exe
5732	LDPlayer.exe
5732	LDPlayer.exe
5732	LDPlayer.exe
5732	LDPlayer.exe
5732	LDPlayer.exe
5732	LDPlayer.exe
5732	LDPlayer.exe
5732	LDPlayer.exe
6024	dnrepairer.exe
6024	dnrepairer.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
5848	powershell.exe
5848	powershell.exe
5848	powershell.exe
5408	msedge.exe
5408	msedge.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
5732	LDPlayer.exe
5732	LDPlayer.exe
1532	LDPlayer9_ens_com.roblox.client_3040_ld.exe
1532	LDPlayer9_ens_com.roblox.client_3040_ld.exe
4088	msedge.exe
4088	msedge.exe
1736	msedge.exe
1736	msedge.exe
2760	msiexec.exe
2760	msiexec.exe
5408	msedgewebview2.exe
5408	msedgewebview2.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

dnplayer.exeOpenWith.exe

pid process

3020 dnplayer.exe
976 OpenWith.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

676
676
676
676
676
676

pid	process
3020	dnplayer.exe
976	OpenWith.exe

pid	process
676
676
676
676
676
676

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exe

pid	process
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe
Token: SeDebugPrivilege	5732	LDPlayer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exednplayer.exe

pid	process
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
3020	dnplayer.exe
2720	msedge.exe
2720	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

msedge.exednplayer.exe

pid	process
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
2720	msedge.exe
3020	dnplayer.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

LDPlayer9_ens_com.roblox.client_3040_ld.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exeOpenWith.exeAcroRd32.exeMiniSearchHost.exe

pid	process
1532	LDPlayer9_ens_com.roblox.client_3040_ld.exe
5732	LDPlayer.exe
6024	dnrepairer.exe
4816	Ld9BoxSVC.exe
1056	driverconfig.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
4580	AcroRd32.exe
4580	AcroRd32.exe
4580	AcroRd32.exe
4580	AcroRd32.exe
2936	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2720 wrote to memory of 4208	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 4208	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 1700	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 2920	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 2920	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe
PID 2720 wrote to memory of 3344	2720	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.ldplayer.net/games/download/roblox-on-pc.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe05383cb8,0x7ffe05383cc8,0x7ffe05383cd8
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7232 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1248
- C:\Users\Admin\Downloads\LDPlayer9_ens_com.roblox.client_3040_ld.exe
  "C:\Users\Admin\Downloads\LDPlayer9_ens_com.roblox.client_3040_ld.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1532
- - C:\LDPlayer\LDPlayer9\LDPlayer.exe
    "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=3040 -language=en -path="C:\LDPlayer\LDPlayer9\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5732
  - - C:\LDPlayer\LDPlayer9\dnrepairer.exe
      "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=524852
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:6024
    - - C:\Windows\SysWOW64\net.exe
        
        "net" start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Softpub.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5360
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Wintrust.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:5356
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32" Initpki.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" dssenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" rsaenh.dll /s
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" cryptdlg.dll /s
        5⤵
        Manipulates Digital Signatures
        System Location Discovery: System Language Discovery
        
        PID:4432
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3540
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5500
    - - C:\Windows\SysWOW64\takeown.exe
        
        "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1388
    - - C:\Windows\SysWOW64\icacls.exe
        
        "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:752
    - - C:\Windows\SysWOW64\dism.exe
        
        C:\Windows\system32\dism.exe /Online /English /Get-Features
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\dismhost.exe {FB96D85A-6222-44DB-921F-4B7B8053435F}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3528
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query HvHost
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5144
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmms
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5088
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query vmcompute
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:536
    - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
        
        "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4816
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
        5⤵
        Loads dropped DLL
        
        PID:4628
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3840
    - - C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4948
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1404
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc" start Ld9BoxSup
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3152
  - - C:\LDPlayer\LDPlayer9\driverconfig.exe
      "C:\LDPlayer\LDPlayer9\driverconfig.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1056
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4064
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
    3⤵
    PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe05383cb8,0x7ffe05383cc8,0x7ffe05383cd8
      4⤵
      PID:5160
- - C:\LDPlayer\LDPlayer9\dnplayer.exe
    "C:\LDPlayer\LDPlayer9\\dnplayer.exe" downloadpackage=com.roblox.client|package=com.roblox.client
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3020
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5424
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5580
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
      4⤵
      Executes dropped EXE
      PID:324
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
      4⤵
      Executes dropped EXE
      PID:1416
  - - C:\Program Files\ldplayer9box\vbox-img.exe
      "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
      4⤵
      Executes dropped EXE
      PID:5764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
      4⤵
      PID:2032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe05383cb8,0x7ffe05383cc8,0x7ffe05383cd8
        5⤵
        
        PID:5764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
      4⤵
      PID:6132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe05383cb8,0x7ffe05383cc8,0x7ffe05383cd8
        5⤵
        
        PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2496 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1220 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8368 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7892 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8296 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8788 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=8840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8960 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8356 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7616 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8472 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8176 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7828 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9092 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9076 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8712 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13101648110332435293,14606520651360349387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1256 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJSploit_8.10.14_x64_en-US.msi"
  2⤵
  - Enumerates connected drives
  PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F4 0x00000000000004F8
1⤵
PID:4740

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1324
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5960
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:976
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Zorara.zip\Scripts\IY.lua"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4580
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5380
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E3351E60D91BE486D2983032D06C927 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3056
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AD2D5030710F83C5D72F8C6512BF7CBD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AD2D5030710F83C5D72F8C6512BF7CBD --renderer-client-id=2 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5940
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F76CDED7AAD4D226B7E7E3784D48F4FD --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1872
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6768575E72456703C735D30FF2BAC060 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5496
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=46F8DADCB02B731B1DC5A94971334E77 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 567CB2D270A77236E2962B3395EFE2CA C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- - C:\Program Files\JJSploit\JJSploit.exe
    "C:\Program Files\JJSploit\JJSploit.exe"
    3⤵
    - Executes dropped EXE
    PID:1644
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1644.4232.6698813040904677042
      4⤵
      Enumerates system info in registry
      PID:3836
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x114,0x7ffe05383cb8,0x7ffe05383cc8,0x7ffe05383cd8
        5⤵
        
        PID:2308
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1764,12993663893133108714,12076755701349725603,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
        5⤵
        
        PID:4292
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,12993663893133108714,12076755701349725603,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2076 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5408
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1764,12993663893133108714,12076755701349725603,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2376 /prefetch:8
        5⤵
        
        PID:1512
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1764,12993663893133108714,12076755701349725603,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
        5⤵
        
        PID:4060
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJSploit_8.10.14_x64_en-US.msi"
1⤵
- Enumerates connected drives
PID:4796

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5d67e5.rbs

Filesize
21KB

MD5
bf92b8695b42a605423257b52919500d

SHA1
61db05152050990647e348e598dc99f412b58a8f

SHA256
38a4fc544be7ef6ed7c943a10037ca2515848686680da34b8e8f734a48f748ea

SHA512
cf8dcd182c3260911121317b94baff51cf882637d5b35c86c2c607a671a2eac16ba7b9c33dea8c7a99bee441fb6a06e92252f69f5b03a8a958d3e8ded991bcf2

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
1eb5ffaa41c73d028b4108eef962fb7f

SHA1
bba9bcb8a064fdf68a79bae656f11ba039c9cc77

SHA256
421b885202b3bfe4c7e5f9281c17f836df1de98db6d14c6590eabf4d8153a6af

SHA512
148863b577f7d9fc25225e8dfd3f01d4865afb1596dd320bbd0451fae9d173fc1e15105f0e98352bffb6c36a2462e3d8292ce6db8877b0b921b304be1ba2b879

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
03746b5d567927bdb69499ec30039d8c

SHA1
93b08624bd80ed01c370e0ba9a2ee3824edd8733

SHA256
1e3b7a0ac94de0e7209b19b709a0ddd2effbc1b98437a81b3d3dac853ef54b77

SHA512
abf608e020e732407524b780bed7b894768f9828dbbecb1a66c9b6d8cb079380646bc228dce5f1bdbef4b089b241574a22c79eee3271a623cd05e7754ad83e19

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.6MB

MD5
2c8986ce6c1c5fcba4146f642e95d862

SHA1
a913254e6a9bd1db7825f9880a992f21a6827bd7

SHA256
07285fcc8e65f164c8897ebdb63dc44801dae28782a6b2ee5f3469c64952efd6

SHA512
a5b074ad394b75f2597007ca732f5e1b877fae483122332dbcaecfea0c6c52a658df8b5844e60280766fcd38333dfac3a259c159c405a83ea6b78691405203d5

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
5115ad2e73db8f2c00f9328c97469e0a

SHA1
552a24ab6bf961d84b1211f0b9d083c24c36781e

SHA256
19b8c6fa38f2fcc728acb3a110ab4bcdb49648440957a75ecc107c84f3eb7be3

SHA512
7ea61e22a4d036a690ed6fdb6fe05464c0430cc4811930815d6d7281f99c2895e7956b90ec255f59020da82c6f7ae32a9ac780e9d4464a05d4f680119a4ec739

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
8556c04c551d35d6a80ebaef4bde9af1

SHA1
158feb0ecf4a6c5cdd93169cdac4c8f10db6f85d

SHA256
7dd496d6acdc405576d42cb50956c203f7aa69080c65e587b1629f45d0b52ee7

SHA512
b29ec3d8833e96ec672ac7378b86bbcd3a9a306d01ae7acb143f68686fc7416a22cf09f315cbfad0e38aa2e7d8595df2584e38bd6d9b1f3173f7b1b7b49da227

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
636B

MD5
de0cdb61054a89ca6d49a352af635d3a

SHA1
b33431bbb6eb932535ca75d30510de73211320c6

SHA256
b509e6b2ca58aa3607a809d81bd4f5a1d25da4f36190b6e10e389912ac31d63f

SHA512
0d8ce1b08238ba50e59ecbbf68eb6b6db73d1fe10b56608f64acbd77a91ce45a1cb938d4a8c9322e6bbab8501733128af6067256c8b1a93b8d65b7b0e59bc6ee

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Program Files\JJSploit\JJSploit.exe

Filesize
9.7MB

MD5
281a79abb33f10b3f9c6c40c0e165cc3

SHA1
ea7bd361ca528f02f0f95c376d844af98105e218

SHA256
30f840be1b9249d22c6bdc943d6901ee8723284770be1b7e18ea12a844d91f77

SHA512
2f6deba4a2cdba68820dc8a47f20253107a3420a18cf3f0995fa12b434afe41fa6213d392cab2826517b4cf8cf59fceb2083f855531daf9310128754dab7ea1b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk

Filesize
1KB

MD5
5752d83e7b0ec7cb2a55ec91e32d0ade

SHA1
33da707093b430846e26b71d8f4a980f3da293c3

SHA256
368a5d099412efc934d0b78ee538c950aae31c630dc33224266a0647772a1d52

SHA512
7cc641f54ea6f5d4e0411b33c709e8fc36e65cf9c50057a189c471b9a0cfc659dafbfea0b5039d2d20dfeb5c370606a4891e46150ddf4ad88ddc24ef6099f219

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JJSploit\JJSploit.lnk~RFe5d695b.TMP

Filesize
1KB

MD5
021f560f93372c0b487fd9b4af4c6d73

SHA1
10c7725afd1b61b3312a9acb468361db28b10f0e

SHA256
26de60f466b150eddbe65e7e2b5bad3907781d91735fe596fa97c4cfca54dfc4

SHA512
d53a3d7e11d4743b9e8771e47b3f3c3182417ec224b5179bec329af591d1734b305266747c5aa09f0ae2e079fc25323c456675eacd7378acad7a1b9f1792a7b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
04f886e8a845c17d391a8669932968db

SHA1
4150d82aa525407ff39db624e00226c4e786a20a

SHA256
870fb450ba039f09cd4d7392df4700cdf4e818ea6481f25e4837ae62b2d61929

SHA512
f02ce7080dbb34b813f1645d77577471e7d96bb6368de8f2d91aa17c49593a7992151dc34db8febe0d0ca948a5ef142414d46921b6a9dcf8332b78a36d898548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
404B

MD5
014609f909f124d6617500ee54af4df0

SHA1
6b69db6da07b04248ec515d3fff2b063515678a8

SHA256
9dd61f95de998f9be7894d7b32ca7cb1cb9dbd4c1b0c047ac643ef767bb9f7ba

SHA512
ec8a941a278d8f29c15e2a88e5d50070045c7a54b37dab47f37982a5375561ed02b519cfa049c3a131a1fd7aa8fd18158bc37c70d038d60f0118bb4bc71113f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
32KB

MD5
7cc9b78226acb93f406eb1e4e17d4d5a

SHA1
8edf2712deade134ce6bd42fc8ee70eb68891656

SHA256
45afa895ac254a15f8928733b5c07204aee680dfc3f0b3a1e87da9430dd99ef7

SHA512
4dbd56f013826532e5ce24410fce357abeecec07e4d525cea627e911e96842ff0fa3a8848f8695a6476aef4c343601451a69d53e0469eb388e753956f94723cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
99KB

MD5
ed965c2f1cc76723af9f3c689a70a43e

SHA1
26519a683ffadaf2ee1237d9d0aea39087f4be5a

SHA256
ac7c711c8e92ff96e3c90f5ccf86f49a7ac1a2befa787a49298c8b51b0f5687a

SHA512
bed5bf8f79f80b2b7c3baf63e3544e86cf05ae1d459f1c0c9a9a9aff336d4d74cc3d1ef925db9ccad00d18235b00da0648d92929f1aeca34f7806cc379d39741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
16KB

MD5
726e20cd56a3162627dc18aee6994fd8

SHA1
a765ff825c6416764ce87ff1ea7f0f9968142595

SHA256
5b73d7e5bfdcb42aac0e8526b1a594dcbb83971e2fc0f31cd03aa3515d96487f

SHA512
8214cbf83fa316b6e1cf660a413e007eaf927b5b1346d005ceca620fad1c506bee83d6c2739d91bd6be507f5c2c4d420e8770a6d45467266c6e2149eb8605d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
24KB

MD5
075e8c9e66326fb7cb71e05cca1ffc88

SHA1
b02005a157813bafa5ebda1d9a9faba2880910a4

SHA256
0f2b3b5f35783130f456bbaa7e9e3e410351366ca644e732bcccf0f6461c15fc

SHA512
46cfca583198f1e13ec57ae35be3a5382bf011684070e80ad4f58da64495a109dcf79ec96aba918f861679255597feb8739ebaf65cee4bc7ddab34c339224ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
22KB

MD5
4e7e27d04c5e340b359b2a33e167f27e

SHA1
05af37e7945ebc559160fb191ab7ea0950c4ece9

SHA256
428c684d925d32cd7ec809c5a53d38f085b4a5d4e4f8f49b7ed2f7b1e8cb388b

SHA512
9df4f928843bbe0f90ffd63bd9ef0f1d1a7eb52c0881342dc0d89cf1b0e9cfa59e3f744c6bcfc06bc5ee86479319d3061b655b9e95cbaf9d899cb3ac80cf63d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
26KB

MD5
a76d8cb5bda015255950991ff2140e4c

SHA1
ca672034ac071b55e1dc51bdee5419560af3d940

SHA256
70b5e4caf91f5dc19b378e168535b41061892ee1f7ecad10217e0af4c0caa823

SHA512
d7463c677c2ffb5c039984c8c822d4fa6ea7c05ee5a7edd997d7c6aa9629e38adde33dc8061b432949601177236696b1b7922078e481884ad928326e6ab82a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
28KB

MD5
003e46f9a68110b0a1a528f64a82fe5c

SHA1
973ff5a434ee193480c2e005782f98c6a2b77641

SHA256
1a9aac05d353092b91ed961a507bec8cbc5620838cf1b8952763abdf08d4a4ca

SHA512
48f569774c4b76e79a45f435177cd04454d5d6e0e559df5625c4def5761409d06b6823cdd461098d27afd22324f68c712c714766d2621999f6a72f209eb69cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
31KB

MD5
468ac85a673597c0b0cc059cdc3b394c

SHA1
30eb8be280cf6e963a9a7216e23e3c21235a24f3

SHA256
efec91452b5d372205e48ee420c2e21f4a8ff6abb5970ade2fb418cd2f430669

SHA512
f882d5f02552fea137fb19a1e37e4b8919c7c4c9dff146e19f9bed5c3feca70930c5ef18ca3dd54f66a275d9bd912552300393e8111c163f76d9ae3cc297fead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
27KB

MD5
81c35fc39bb6761304ff370ff15e7e31

SHA1
8f0d18a347003f3859edf9792d7926303e125a7a

SHA256
d5b160e8e708f955e2fba7daa8a4aa85ad8d4c3049b6b4e308a8869f83014795

SHA512
9bdfc308bf29d206db83d8adcf68779eba7f1d9aa93dae2e4c2f7b5c53532a0dd55456280c55671da262279054851eb2b52a365a36a9cacc680a8c68b797e020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
17KB

MD5
6db80c3809b1abbbfd69cee3ceb2d884

SHA1
10615287e77b3c846367224e7f254125955e64fd

SHA256
b942dea6613394574df465ef15df2c1315a349be18248f0193cc4ac38b5ac33e

SHA512
294075f5e3c8349a2420b6abdf100f8d8a21ddde39bda8096626cbd47cbf850ad24c67c2ac0d899f0fa797989e0e0fdd17abc5a518f7ec3a23c3340b0dde1e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
18KB

MD5
02f8cb5b21eb519ed656c5fc99a8e2ab

SHA1
e9c386c2e3c3f5e0ba43e2c0d22df33a51ffb57b

SHA256
bec2174a76558bf81c5ed11e2461393b33f84dbe578ebd3dc3f2becdd2166fa6

SHA512
dd567c88ebd21f7d40a626ef55980f2f2e8f431cd9a90f6344b6203a069e9356038cee1961512d80ca164b233e4c2072b047865055335ea18607746bb19c644e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
22KB

MD5
ced0a21f917f2506efa4835a717bf1e9

SHA1
7025d48866d37eadf9d47c5db0a3f9c1947111ea

SHA256
11de708f5f8f69146c154901c1dacbf42953352a77aad22e8bbf07c87a8fdcab

SHA512
06d72e1c56c9fddac1c82e9d6d24ba98360c7de7408c9f071ed26517076891138ed633c1293837b53b1fc29ea812f429fb8e7d460ec4904cb0b89e181d337f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
32KB

MD5
390a6248c928b7a715d2c6a11628f7e2

SHA1
cf53b35afc1bc2ad9b04e7563cb7a6096717f6c5

SHA256
61694aa329a982c48460f2ace6c71b7034fb1e926239086f29aa1321dcf93734

SHA512
7f380c52ca5b039dd93751369ae674f0397cda6dae65d3c5071985479a78a0106b69011a06e3fb5801250f575d018ebc0250cdc386a2bf30a2f3741478057051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
106KB

MD5
4167a2f9396c010e743328af8ef124b8

SHA1
b9542143d9e244f4e17f17453765b21fcbc53a5a

SHA256
4d43ac04d65f6c17feffd49bd5e091e36c3fb476290a1ee484dfd5ea1a413029

SHA512
9380b27c14fe7631692a21db3f8adc9eb7444279b9a4c0a531a78e88d64172ea2191c2f956e6cabd1c163f7bc95d61d1214c6eaabbe516dcb0c223436d0b97da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
152KB

MD5
4521b6fb0d76ba6fbde6dacf5a6a2a51

SHA1
8ffdc57f21502f0164760f9e2bf4dc10bb3fb43b

SHA256
4f9e8f4c4e21819683335f73bd1e7d2b3afaa30d3449508472294885afe8f0d4

SHA512
13819a3a6357cd44717fe768154f8117115b22043e9ddf024b5b7ebc5ca427d733261e0a0aa0237be54dda49fd3010853b1692dfb74fe42695d201cfddeff552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
52KB

MD5
64e54768a04b4e686790a06b6ad53e92

SHA1
7afd8180b2010c7d0130fb442b31180edd20feb3

SHA256
f24d7578439d80e2d82d235d777dbd4ad0a9715e339c945efc020f567e11314b

SHA512
ed27d27d4681f8f4695e5005a77197fc7b03279d7113efaa9997fbc9b2a31b8f8ddd4924f52eb36ed8340be36d642eb8799ef37e65bfec9bc203827899438b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
144KB

MD5
7c962935a66b4f841856446f24e75268

SHA1
1fd0f146c3668f72cf5dd0d0719b260182a70240

SHA256
8ea3d436aaa34d291c672ecca2b7eb168e3e6d329644c54752943a4a5a45fec5

SHA512
1613c728bcd0fb0bf2989a85cbe27510ce561d7b2094f172907cbd8faa14c05457d6f13e38f1e2121180916c8fa2b9d847366f26e72ce0ab273dea76ad08b82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
84KB

MD5
00995a2acb580a3dd5f4480c73cc284f

SHA1
b890db0e382af7ff477f8714d5a49c2f372b840a

SHA256
3f774b337328f15f1bff494c36ca2e24f975b487c35620b8e6f75098d3f4dda6

SHA512
7c809b9225c10a9dc348592a2af3cfba8f06621521df3c0fdb76565dd7419107af118f0613512a58cbe15f1373ebadae584d240bf87a4f8affd7188bdf2e7bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
25KB

MD5
777a63c7bb73394365962e8e0fd2dc01

SHA1
2ca4ef52bd745378018eb30180ffa208a76b5c04

SHA256
10a7f1cc102eed344c455765969891f8c4ef071626036419fba5f17fa42810df

SHA512
986adc9a20bad40f8cace5dd9af3c3ac58e2fddfb30363ef61ef51d2493e603e28241da0144833eb62cae3c2d3fd2a38ba0a4822f01eb890cf58c7d7febdb8fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
80KB

MD5
f8280d0dd22cd6917f565ef96cd9e2fe

SHA1
4bbb67731061f83a023ef50b27dba29700768700

SHA256
d6f5fcdd60fb05aa6b8e34527f63e0f399b09b78bccf7017b65560605f75ca14

SHA512
ab012c8fc5681d7fd2a5e5a4e9aad40d53c7b11160942607a9a9f0131b42fef0b94501b69dcf85afee21aca0ec94efdc338e7e817552433a527e56ca317d963b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
28KB

MD5
1b8e5496aca8acfc597832f2aee42ec5

SHA1
9f8308fd46ec50e4de5419428107c5703ad36995

SHA256
7c3b99a73f295ce216cd7d8143af310fe64cd0a6d6f60caaa7c7c4c97442bdad

SHA512
f84492cf9efb9889e3578b0977d494367ca9bc9bddb0aaebdab5285850c59bbe918145abfa16a9725f4f47d5cd7c31dfefe98156e698a4a409288d5ae3e34621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
16KB

MD5
89a574ff00e6b0ec61d995d059ce6e65

SHA1
aea09e96808ab77165ffa712eaa58b8f056d0bb6

SHA256
e5c29c139842fd487473d0824f2c01b374680fb35d22fa929686d17896602a44

SHA512
30d0d40bd680e61968273155b740901cdfa66670fc2af6f23e44c6b998b67cc1fcd0b51bd5f9470f209f188e75d071355e592b2a7c97f4bfd15d07d455e0909d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
16KB

MD5
cfa2ab4f9278c82c01d2320d480258fe

SHA1
ba1468b2006b74fe48be560d3e87f181e8d8ba77

SHA256
d64d90cc9fa9be071a5e067a068d8afda2819b6e9926560dd0f8c2aaabeca22e

SHA512
4016e27b20442a84ea9550501eded854f84c632eeced46b594bcd4fc388de8e6a3fbfe3c1c4dbd05f870a2379034893bfd6fd73ac39ef4a85cbf280ab8d44979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
65KB

MD5
8a42ba5472aa4afa3d3ac12f31d47408

SHA1
2add574424ac47c1e83b0b7fae5d040c46ac38a7

SHA256
759bfec59bce5ddea7751b7f93408074a8c27cb2c387b08b6b9f4aa111266ec4

SHA512
3e1081a6e1c29f6dae28ab997c551a6d107d4f4b7e0981a19ba81a30a4e420dee1791321dca8f4b500c9e7e4a41c5e5c75013a72e5a5cde3f7e6c50393eb10b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
59KB

MD5
54c638d0d50431f6be8f98dbe263248f

SHA1
13845430b2e57907e38a994e58707148cd971224

SHA256
b5496f55b5b3e8bed637dda54087472432a2ddda6d4b327d490464e832d10084

SHA512
251d964a091f67a01b6d0d8b2880dc597531cef6e6472c1c9ebb08ab69eb306b38bfeb3a0a79838e4b7d9bc023389cb94e5b36791bfdce43944937c2242a8b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
62KB

MD5
fdd3922edde39c73dc37b568650e47d2

SHA1
1566ef03ec365d9d7e4ac9fc9cbb4e5609b9b976

SHA256
d464beb2c15b29d24af42a7cf74db9539652dba74de861feb169145b5589a3ad

SHA512
b3c7e48d1bdf62d8436ff428af14155a5c2e834ffec8003e9457fc1458cd77b7474210edbb5f57eb838723844f6139b3c523d3a9d1d4f525aa067bbccb9e146a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
31KB

MD5
a4da976dde535a4f11ff4c9d57a8a56c

SHA1
fc4c29049db6d81135507dc3736cb638340f55aa

SHA256
6b85680498d0061e6b748f0fd9c904c74eb9f265f7d6ff6b33a37a0656164bf9

SHA512
e3db7eb080a2c927ec3a223d16d818cc76f9da51525a91b8eb3cc9e15106e2939ef6d550121b8cdf76d38c001971662d833d70a269ccf35d36278d25cf42aa18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

Filesize
35KB

MD5
7c702451150c376ff54a34249bceb819

SHA1
3ab4dc2f57c0fd141456c1cbe24f112adf3710e2

SHA256
77d21084014dcb10980c296e583371786b3886f5814d8357127f36f8c6045583

SHA512
9f1a79e93775dc5bd4aa9749387d5fa8ef55037ccda425039fe68a5634bb682656a9ed4b6940e15226f370e0111878ecd6ec357d55c4720f97a97e58ece78d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
67KB

MD5
ce58019b091dbdb1895be63d765b1177

SHA1
37a38458a92835c43b270069c0629c6975b2ba69

SHA256
8defb86fd585d1e578370bac22698f0de49d509d7398a0e83fbae7a9d11e0fcf

SHA512
36be843dd5630cf0c76219459b2ff946fa91ab90be31e3ac62452642a79a062b9d7aaae14a0ad8fd92b1a6d468394f1aa8bfe45f262f33e34048b46e046a1b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000067

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000068

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000069

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006a

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006e

Filesize
130KB

MD5
7936127d67f265beec56bd69918fe11f

SHA1
c581fc0097652daa4f3a9fcfda2ed445956cc6da

SHA256
dee3b77dd9618970a18c535dd60b0ffcb5213111915cf0a32327d6999affeccf

SHA512
95e8d7bcadaf1f0bf6a3b3c29b2820004acb26d46e5ce556e8765fbc85e85b54e336b8bec9036ffd44d39f85417a4e18bec94b1ba8b99fc280288ef316867de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006f

Filesize
52KB

MD5
7217af2880aa36506a6faafd03edb306

SHA1
611c75d8ed8f22984f64c9ad1c2f2ec80f6b0e42

SHA256
49070c987e82fb2d78b1f3f9c6b270f0d8357724278a193f1d9174931efc476b

SHA512
8aa76390ca67e9639f738e8d6c3d96ca80a439698b6d9c5d6eae57fef76a1d61d327ce76e6a14eba7e2d226362d4d578ba198e21834617d54696e6eaec29e455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000075

Filesize
31KB

MD5
1dbe917c9f1cb2d708bd16fc047f3494

SHA1
ea2ab321e078a960277ab25b8e5adfa4a1bb150b

SHA256
501fa5f1eb93d5503ae2054dd2f2afbf75127306f5f24010a1a2ee0261026b96

SHA512
889c1161d150b03e12125213234dda080b357808c2a28244f5e29f6b5ddbfa8f130ab8410d059d8a11c7ea97acf91b6b8c38dd5d9637c824ef46ae64d57fb7e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000076

Filesize
144KB

MD5
dacffcda691411231998efe032519dcf

SHA1
a749100ebfceeceb44c5df722c56be0c10a4806f

SHA256
831b0c446916c0b28ea3b87d89e82b7e2ea57bd38ea1cabd4d216d75d5063208

SHA512
dbb0152c86564efd67dea4bc8983ec85be74193470bceb3386f8eb053d15fc621a20339520aa3dfe306d8c621460aec73c00429d49ea4245b6d84ac6be35ba58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000077

Filesize
83KB

MD5
275a35c583f5a4bb0a7d81d3499a688e

SHA1
8e62dcfe1de146b39aecbc5e8b8ddb60dc31af00

SHA256
64d66154c17b4fc97bb302bded209c74aed7f6de537ce39e71ee7f06923e0f8c

SHA512
2bfb6f11b55c496074222587e6831e10b6a42cb4ea124c850e78bcc2f87ea0107d3a024a42540fc70bbbb04f9a109869629dc398fa5b19d29f14da711f123655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000078

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000081

Filesize
20KB

MD5
fa4cc25f0f72ac052e9413b46705327a

SHA1
72127f17a73fdeaf1d867ff721f8115e90d82e8b

SHA256
62215bb3463a1bdbeab484739c056495d60f9e6feab8e3974cde6bf69504f05e

SHA512
b33ebe5aad7802e7aadf31bc490bb697a7a941c4ec9a03c211b42bf54403f05dba02fdbe42bd7c28a27e309c868f4d74c060840a4aefdff57ac9c5c2cb66921c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000086

Filesize
16KB

MD5
a2edb5c7eb3c7ef98d0eb329c6fb268f

SHA1
5f3037dc517afd44b644c712c5966bfe3289354c

SHA256
ba191bf3b5c39a50676e4ecae47adff7f404f9481890530cdbf64252fbb1a57e

SHA512
cc5644caf32302521ca5d6fd3c8cc81a6bbf0c44a56c00f0a19996610d65cf40d5bae6446610f05a601f63dea343a9000e76f93a0680cfbf1e4cf15a3563a62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008b

Filesize
20KB

MD5
e92faff58b6be9dba9bc283c4f4c8513

SHA1
49588273a413dffd248cd35dd191189ed2c2343c

SHA256
8c6c6736f4650f9bf7af6fe14128a3d173816f3dee2e02c5552240c04852b691

SHA512
52ddb77b600f519eed2343d528b9c9bc03585c82edaa91c63e8850d19be23c2f645bc8faea19c3d75ccffb30e4e69a3605883106fb1783346a8883465051643e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000090

Filesize
20KB

MD5
02d0464758450d87a078aea4e46187a1

SHA1
41154a61b8192c00a4f03e5ce97e44ecc5106e74

SHA256
c6aabc7504bbf101eb3b39fb3f831b61148f34605c48b02ba106aedccde52750

SHA512
9af139023983a975acb29147037f4fa8ca820e15b4c5f471e2cb000909970ffbfda2b210c8330cea93271bfde3732455a545730e242f1a0e59871bdec702b39a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a6

Filesize
49KB

MD5
59e140e9e76273118f4546b168a8fdca

SHA1
cf6a5401fb149a7ed5944e0926cf4ad2ee132ee4

SHA256
264e07b751cf94fcf50f199a96bb08ea5b199b55eaf65cc512f8e0eb4176dd78

SHA512
9c853519330b2c63296d47eb0998f1eaf732b370108758a2af1e03b3c9481c7f526574b46e47139e8074ed4a607e74d7265943f9bbf5067c4802ed440e2ffd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000b0

Filesize
32KB

MD5
a201007e44ff8e63e7dc819cfe1a485b

SHA1
1007e55d4195e99ff94623b3b4489541fe297e39

SHA256
678e3412231cba927faf41bfb44862512385a0eeabae0127f363764ff825eb38

SHA512
7382efad57e82efc4fc8412e7a277c24f1cdec324cac16ddc2ce09d36ad660c55e9b5b58ed1f34e0515eed7cba22ded8b1a6c43f73e765833832f9189e99edd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000b1

Filesize
20KB

MD5
4eaf92371bee3a85f9538e67c78745ca

SHA1
47e6228d145ee33855b238ab871de9577e5246bb

SHA256
932ce7a05c3420676af1ae5a1fb29946e22d20a43a2e2e904feddbf7d8b6de2a

SHA512
6a6f2e32a03e5bb4b27cc08783b451696f4471c7fa6ad5659ee52a8a3180210fc5810c58c12c2c1e00910bd69223ec83d3053108e973fbfda6029efeb6a22079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0306fae16ce197ad_0

Filesize
60KB

MD5
ded719d7d6279864840c9588a543c945

SHA1
085f4f9596731f71c00b8346f2ae80e958a21a5d

SHA256
d68a0be6e0b36c9f0eefaf4d93a719df46a7e3646d9782f01d17ccefbbb8bc3e

SHA512
f09d997dd5c191626272722e0671f01e5151bda91ba6ebe88715b6674cf025c591626cb7fb29f8262ee727afa670ddb338e89a44fb865d5e4da323a5ddbb6ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0ae9d18b6cdeef1f_0

Filesize
3KB

MD5
856c56b91551f40b850d6eb25b4baa08

SHA1
aee75f42078f3916876b970888ba5e677edb6f0e

SHA256
f61101fb7278673223133c32d8244eaefb9c82521e72cbbf1335fe3e29c68990

SHA512
038be6c65ad30aa97969e7c685fca6c9f6ff75565d272d4ea1fd7645d09d592b1ae6b5b9a79f8e320b19b7b58d834e07b75adbe89ec2c60a66aa1bfac4b79653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bf1781f9201bb86_0

Filesize
30KB

MD5
64e6cf65bff58b7785e4ffbec18beb0f

SHA1
35e64ec623d79f650a539bfcc407d00c7bc6b1f7

SHA256
72304383ab9f8efe168a30ca21eaf6cc0909cac056feb750ae686c6eedb275e9

SHA512
ffc1b2fdc9da5cce703950f0a0a71c60c1319d7a847fa99d0e1deaf4e3e946c0c317ea431e6f6f752dc7e949136a1550075dbca39b5466a253ca8b22c9d81f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\21eb27cd6517931a_0

Filesize
249KB

MD5
37e0d4e14425cfe7059c829b17913c65

SHA1
dc1ec692214853065513b700a3e12b43d3207545

SHA256
883dd0776e55994669870c36d5ec86c4d4e60a5a431b25d0331d1dd4d7b5e3a4

SHA512
1b9381b79bdd0e69df3726e52c5f6cdca358924b272484a3f2ccb1743d3c8905016c972cc2c80146c7e5095314f5bc56c1a09a4ed11d5018d028c7a8f4cce161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\345cae42d5deebab_0

Filesize
360KB

MD5
713f342d101edddfe8aaede549af746c

SHA1
e1b9744f70ce8576ed368da6fac5fa2ee40a1f85

SHA256
482edd4538b469a0e21f282ad2ef865bc2866f8e88b4ca42804f078031d6924d

SHA512
4cfc379ade1a5556d849cf1bb75aa718d1b6d33d01e6ca537740f23141fd77424140d136c8f86bf81823036ccabc073c198dd5a77d10e966ed421b28784aef3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\43d7c480e2253ef3_0

Filesize
32KB

MD5
29e72825d0315653f6563de654ea4a5b

SHA1
4ea7d4302ad048bc609ad715544b7ccc5b90bf62

SHA256
e449ddc90990b21dd249b46b3c20102a2d12ab70b6e1125a1b198f648a1109ef

SHA512
77b8c52696ed1da0706ae33c2f08ad10a372614f9764aca37fa59fdc1d70d1a5c197b7940a64bdbdc88a6d572604a3065915cfce2ca6a7c1f924df2ac5513a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53b92fbc4d68952f_0

Filesize
270B

MD5
f4b563c01ee9b84c0f47b8384a00a6be

SHA1
f8bcc07620130b46c3165604e3c3577129d34e6c

SHA256
f3cb9395543224d16b4096b789293183b174f5219ea0019417a28d24b8ca47ab

SHA512
a9b9d5e6724ad2f8d37ee5c98897912fefc7eba25b9ab81995fdc82540ee48b75e3ebbf7c048b1267302d82d23b386e3123e4441d28e37581e77bd159b775ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\635c5a48473ec11e_0

Filesize
37KB

MD5
74a940bd28301c7b7ecde75d186252f8

SHA1
a80041362958855539429b55470e39ffad304857

SHA256
638e13770c05c746af72bffc06701ff3143491dc7be5bd3641605ef9f9b4da6c

SHA512
6b1e795aa933e178d9a889433bb7c8fd329ca17105c3482f06f5a003a72329b29e1a4f7f56fcb4aadcc2377491947fb82dc3fb72d7e8d58af6e13711b40e9b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6c644062b95acf88_0

Filesize
275B

MD5
55d127cdd8fec532c3ab4d46ee689897

SHA1
d5745cf0b7476884ebaa3cf1cdfd04f3f40fdf07

SHA256
8604ea39f539b03604009788c751739d45ceb6eb28ef7e688c7e0d16822a6f00

SHA512
da9c3b7682bc3f1b59d56db5c8b0eab60b6294ef9a58ea62f9e285c7cdd8f6d3a2ad6a4139b10508000ea72f0721725955d2b59404b1b482ca92394d7c7736f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\71848a3da7ea1aa8_0

Filesize
301B

MD5
61ca7f998e888508e5b8ff831248feeb

SHA1
82bf4597ffeb9f10f60d940105a5b2e0070359b3

SHA256
11b3b52a2083c6a7f25528e30438fa23669645f6f219fffb5d87c715310fd12f

SHA512
f9ba9521d5453df13afc67213dfa4f08b47f59c8beaf149954a70b8a2e3d8e3ca46637f191e7fc8b29abf4a2e57ecff7369e49dd7cf92d48d21de492064fc9e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\73063c5a34b32915_0

Filesize
267B

MD5
0a49766a82455878be620a75ec8696b7

SHA1
d6ef38c3319668cb1ca6a7573e88898b22cd39da

SHA256
cff9044c90e3a5780149f19ebf1ceedb05259c0a32f522683ab27063995c677d

SHA512
9c0911680f820a8d3697bfa9f54d2050e6b99644a1a6e07803a13cbf5256236d7fbe8e39487c8fdb0e81ec422792b7a7da890ea2ca874d659328fb839970d743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\730f4d8dfea0b688_0

Filesize
25KB

MD5
ba31f98028fc5254d18e6375554de911

SHA1
14332814536aaace1b4c0de57c311a69562e58ff

SHA256
0678c1cef563c00de2a9abbd21b0ddfb58878ab9c3dc9ed1b9c5dcea4329e9bd

SHA512
5fab9ee1e850cb24478fc68f09c4ea97537089c864bc8b17ed8a7aa49cb85328c1d23dcc4ece78a50efac017a6e2f72bacb988388af94fb55d95ce8b3ffa16bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7f0c098b6c24cb91_0

Filesize
387KB

MD5
f912f2c7c09d7e22f4bf232d18bba3ce

SHA1
42445b84f3a25fe630e24fd1eab35e6a34797e4e

SHA256
862bf377e506d743f81a43ed57db49fe8b2a276363809c44b6ed067047c3c87f

SHA512
0f53b560be600183be780386e763042ca5144ed396c4ef55e1b8cc0b505246d77805d6f5c9876a43d2ef911d1c436d9457ae4ff8b625381b84dd5938e3aa9430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\92063f2bbd648a4f_0

Filesize
30KB

MD5
5197130f75be6dbf7b6c8342ddb27794

SHA1
04332d346d2d8b7c05c5bc56cf9d5dcbfba7b120

SHA256
3a9879d19debe3b76e0f704d9b704e61f0b8f3cb5a63e8575bdcf46e8d79f751

SHA512
7bef3fcefaff4f8a1f2e517767a779c5579a519e907b9920f13068f627d9e4655c5e926d368e45f3f7208fd30ef24326c969697886f0c20c08143f7d1a435872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\983ad1460c5d25e5_0

Filesize
103KB

MD5
0856951ee168368de5dccfb3dd99b2f3

SHA1
75810f8131122d30d1128ed754bfdd2b28301737

SHA256
d785aaf64106e7490ee936942f21215d8db4f1a299ef30e8fc609f1f7742585b

SHA512
e46e6467c3909a050529ab2ea76229095483a42a83ec1957d840912102825b01a2dd866df901d40e0f9b74086325bbf2cec02bdd9bbea49d0ca75d7875ca346c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a4e9e66b8a32fd8c_0

Filesize
60KB

MD5
df906b9fa6abc2a92a7cd06aa603e67c

SHA1
6843b0641f2c39fe1fc69eb7b6f56c5050d75042

SHA256
8aa3b41c3ccdd804b0b1a8061e89801c3a3d9e042954cd6a250dcfd721c489b1

SHA512
2136e99e5531525b2435ce07a287f3c4a386a410260378f30b419993d9237751719c2da01dbec5d72d55f9cdcf25b2b707b3e47c9d4a4af44d21ec5ceb200c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ac8aff70c2e002c7_0

Filesize
582KB

MD5
ceb959b74ebfd5755c99ac0b29b6695b

SHA1
6b8dc47b71082e2fe790aea71e596a1de931fd28

SHA256
c814e433eb3aea6edccba6dfba649cb78a9d393028609e74a7c12cfeb62cd49d

SHA512
cba5dbe12ec7a561b8474a277ced9d58b4e1b7dd9dbee44334b6f3026c9ed3b894a5aff5810425af39c0617802946e6864b4ea6e42eabbe4f9bc8d361d3083eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b2b00721fd2f9a1d_0

Filesize
312KB

MD5
e529a0cd79e5a6b83c0f9784164b006f

SHA1
f8feaa819f78a2cf46f8bdf9756ffb2b3c4caab7

SHA256
5c791442d1bcc430668cae0ae00cbc6fee4ca26d88258b205b81e82fa023cacc

SHA512
16916afee5f367b7f9a10f07f35079c8bc21886b7de61cd0c6bcc460f6370bd6700719a92a25d0adf2a990752ee43e0d9551931b2a534d91d35ebbd93d2a7a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bc69bdc5bb869142_0

Filesize
249B

MD5
bfcf802ee9a74df30299b85ab32f25ba

SHA1
0d6b705b91cf3119aeca64b101179ac7228dc16e

SHA256
973fb3deb9c64ba81bb195eacca56fc1aae702620987cbfb2ce950b865cdbf22

SHA512
0445df36944551c692491e304a48c819c098409659bdc876d10e34c1f0cf665f975d7014d219679bbbf58ebb8ff88d0891a5451c26ddb4dfb7f463eb746bbb83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bc69bdc5bb869142_0

Filesize
55KB

MD5
e48cf229a9aaac039e3c045b133de9c1

SHA1
d176958ef24dcbeb0026ddc2585f070b01a21348

SHA256
03790b735e7ee4f5867306ee3531e4c42f4d90a7eca069796a4e08f2fcc5ddf5

SHA512
cff5d5d47085a49c3261e8ca40a2183cb644c50322b1ceafc618b2d235104822d20d5e2cb1c1873e3315fc7c69fe539d208a0b6d63767a663ff1c6af8cd357c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bc69bdc5bb869142_0

Filesize
55KB

MD5
ad696761ba8f8766a89e8964ead86b95

SHA1
f3f11d3bf13e24848796fb6acd36780ed457938e

SHA256
9ad1137a875629498284d8cb559f385cd36a7ffed8f7144ff68785052c7f0ac3

SHA512
f240d2f470627d8ea2ed2b4f1189811d1f224278a416f6a2fbea71f0ab74764927484ea5db7182f0e86103de0335ece8c8568bf5bc50328e58605202b8a1e811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bc69bdc5bb869142_0

Filesize
55KB

MD5
1cf0a048c6c3eaefe8a87fc29cc4872f

SHA1
66e2e25bd6b39cf4953ce86b3ba5e8a68fa143e5

SHA256
781c67f541111b71ca99d4bc77a31a802aa31908338aaeabf71f77fe0cda04fa

SHA512
19da91c7258a29a245ef5a8bb1fd27744ef98d101600de3653f95a1d0e0eca51466ddc09f0947285e59f5c5821137bd924f41a3526274eb950e5493fc76b28fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\df53bad28ea1e322_0

Filesize
303B

MD5
601902b0c888abd0d6a163aa45c9c632

SHA1
55b15521de35f8780e5b50d234d7234c6031d160

SHA256
db454cfeee6950abbd6d40b5b47a9d5e29f6f29d4c620cd1940126efd619bda5

SHA512
0f30acb0724ade5fafeeaf991343b26d95102096cfd29670721e005834ab997d1552ff2de2296087a43c97576874f8d947ef5b4b9998ce9a1888d8768e318a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ee46582361c18fcb_0

Filesize
264B

MD5
84fbc097ead3771483367c28ef3b0bfc

SHA1
809dc119bbb3310b6179dde44e219baec51ecec1

SHA256
20c8d3c1289e6eb8156d313fe41670208b412597bbeb66fecc7a35c58c20cae8

SHA512
1d8ed23fbaa8fc91b328200d9d2346bedf0a4185b2fe138b9b8f749436bb6e903acd85cb0b78ef0239ffec152c4f9007e71c8ad84deb4be02cd72ccd02f4763b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f10644130c94f14f_0

Filesize
55KB

MD5
90789ac2794d61be8e072e6c52ca102d

SHA1
5ff81f664bc0982ca9a8036e3c6740c8d7aa7d30

SHA256
a2fa97705de4b0c123b9be6fade2d771be321e76709fa56c5518aa7a7da87312

SHA512
e51c6cc4861c5053c155282e0ab0e16c0eaec66253a4feac0b92a09c9864e63e2084f4d19b4858f3d7bea2ef3f2b800f15813aeaaee3a1de990bf12c4635a860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f59cb41c7f6a27be_0

Filesize
62KB

MD5
7d58c9c29f8cfb26c621230faa75d059

SHA1
c4689391b338b3c9795d7e44595e6d4fefe63a8b

SHA256
ce3c4f213647ca69f53269b59fbf49f9d2976d84866857fd4ddd75163a2dd27d

SHA512
4e29438df9a9eb89eab27def2414483cb5565d9ad23a68931bc9d770fb7ba6084c820d11774bb7b92a60f035c9834c8780e494daaeb9d7723d6a240f569bd8b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
3d32057fafc762e09d36b45ada18bcee

SHA1
e2ddd57395ae06725754ce8f82948de30973481a

SHA256
5c212127e542aff532d4820a8057b02369bb6ff16eeed1314d40d1cdd8f92079

SHA512
a5a567f77028ccefb2bf3e6b4134c675ad659107068ff188fe9ab188948fc466587150ee330ff872a53caae7841f2c956223d028e7b9c3df3a98fe4c04b6e286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
024c12875eac2a11d3a9d8487a8992cf

SHA1
00fc7935470b10e62c204b7144f3cb0890be83fd

SHA256
3e9554f8862af3a94f608f82f6cd2e92ff4e8c11bbf82f7fd23ed98cfe735119

SHA512
ad5cf9a599c444913ad03de5825b8eed77116201d2c6055f0fe23895363a3a20bd4c15f751007d489b884c6a5fa007d6704b1fb6f232a042c6d3282c1d7a2e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5d74dec5da69db63721ac7204aa161e5

SHA1
27bc98abb88f120847a59d2d44642ba747c455c1

SHA256
5aae0316edd6cad696676c5225a59ffc67720d2803e09ef67b1b210bf11d991b

SHA512
50151756b80c8de76acc5356339ad28b77afaad5794b53fc109ef2fb9ce9bc72d861fc1a75a12b121054ea7d347392024ef960fd13034d7856777112fe8bd9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
8cd823ec644717f4029a8d3dc8139c16

SHA1
2b43b2debe76e722257fb6af2cfd8fde9ed260a4

SHA256
9b4aca4ed4d560928b82afe7523827d23640b9ae9779d755933db51c9f76b18a

SHA512
5fd68854a22554a520c75097e39a427bc7e24051ea599668d0309df329e5118c1c5711c8deb2e38e9ec6caebfbdeb39abd331cb7650c5518d099fa37b5f334aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
653f0be59e61e857229c19488d683f05

SHA1
190cd1b2f68d6d07868d16dc5d7a701c0b99513e

SHA256
84734bd83dce267d499ca8adbe01b881cf02dc7ba59d69c3b8256a728faaf34f

SHA512
903cef447431ee38c15a1fb05f6979e874760db1de3e181aebd60e9718963a203d9aa20ea8e8711ee6f227fdfb5a473064814fb82d1e485b1852cf141ca6bc40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
cd1cd3d8b3343f5a6b7511ab93045186

SHA1
c2f1f3ebf073af86392a2a2781fa95f180d0bd37

SHA256
d31afb8123011141851df3b86392672e71f23d214a30e11e2e1eae0bde6757cf

SHA512
fe1867bd16d41fc5f8d9bbbcebab67d5e1bf321716ba431d4b4d9b19fc426de7da8b8306ec4c0a3f2da98e2f9e816af35c4fa64c81f7b7173462b1b9637b6533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c624e45fde6909ed058fd0f4c7272d0a

SHA1
dfba94814bcf18e20d591a8caf72367c28931522

SHA256
9ae7dbe4d709d8adec98a79494678aed346f31f929118c0cda6df7f002fdbabc

SHA512
11c7967f15a910d7bc88099f7c71b5a294951d79138e9dfb11d5d8b6f9c0c230b469c7073d646e80b055b5a8ff2b911219e2bf49e994b756e422d42d4c5e4eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
82aff0de1dc7a8225896744510126ebc

SHA1
737ad37c986b8d464f106ba097380e5162c9936d

SHA256
6b4047d5d3ce139f71696eafcaacf0bb71ff461c405fe585935856aaa9812e59

SHA512
16d1886900c6a50a791e7feb17067e48e431a5c72632169690556ae566a9512ec9eedefc3f31ab84280751a34cd0d5899d137c857a98f9a8d6dd4af36a8b4b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
fb83d2abd51c11d89f1665b19dcaf453

SHA1
c1134b0ceb49745554672b1f601487f441509f86

SHA256
ecb957a6767393f8b56e73daefb86b6c532abb7a7fcb5c4db74e170aefd777f9

SHA512
1bb1bf3b9ed05d23dafbe774ab525c3a8cc93971f4ef75f5b7b7a2d3e3533b1e67f824fee98c5ba8a41cdc1ecbe1080f9ed7d50adb5abb563f1f78aa6bcd5db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
2b68da8e0e1e3f03e92180db4e557b76

SHA1
33957f2a045faf868733e21be5d60e1d88488895

SHA256
9c3d88cac8be1ad8a727edd308cd6bea48a2ceade7c8889f7e5530ee6db71f7a

SHA512
1b51b033bc3b260bb593362bda683674dfae0288a9c5f914faf877484ae237677806540316743362e6a6f27d60a34f07e93963d33cc47b3b3d367f4a0905c63a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
2cd7003958078b36ffd276dee4bf55b5

SHA1
e3064b61a9d85ab4df80d3278febef813e052148

SHA256
47c6bc5d1f9e80b8b184f19322947969d0c35fcd426b2b23fe4d62253c37f280

SHA512
9f065092e725d9773fecd86835bf3226d55e8f05e04246e861b9fa498011b81e2c7b82fd57d6f18595985459a3e84c4e0734a40642b39c77d9d644201b3528fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
16KB

MD5
b7b8680be2f04324cb162ab1948c7322

SHA1
f70427206219a1b2a0425563349a2bd82c627e94

SHA256
f21dabbfd2d99d783a7bff517632a48d8b0628356fcb1db1cf2943b33af53a34

SHA512
97a032147ec9f88307dda4ef98f5888f215b136dfdca2b21a3c2e764bb43325b8284c86d0f001aefc0c146e7d89a32966c1723e3fed8bc032bdfdb6fbbe03f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3fb92f101b38716748ba7ec4ffb9f830

SHA1
53d1ebaef5c6588db55e00ed1ec74994587134fd

SHA256
99d7a2591347135aad000560665f4f4f403fe5cdc882492c4ecb811f30c013c6

SHA512
0ed588d4d439aa88c74b9403d411744ad14a2dcb0b9f36b7154c5b75b5d28639f05bafc1634242f6cf3c616195f1cdc0fbbd3a019ff49146debfc5dc910f2716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
403d109108dde9d52d19f075521ad89b

SHA1
10591e188b7b0e86910823390675a555fede5206

SHA256
e2b46f57dee52b264a46462d0a02cae100c828ce7ac88ea40491e3cef6026b6a

SHA512
8573ac56d9d299dc87364cee89b86a3a282e17613ec0bf29ad1df00f5b77daae654f0b802214af8eb79a73637c2b9856d88fc058154776298b913f9cf4f97b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
47f423c9322ed3fc0d06aa6268109e64

SHA1
769cacb6978aa2f9596cfc9005bc83c664f0a2c3

SHA256
af4e0df06577b7e94ee7759bb2229c665316b991d5c05a9fed9191d7c864a82e

SHA512
b9aa83fc3c78275ae86cd86527aa569ea5df1577d783f913c002dd64f97f4289032dc6267b880f8f9f0e1b6608a09e1e12eb8b4c040c9fd846513a589eb51428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
08d80034238714aaad759cba9af9aa5e

SHA1
cbeef5344e4b8399120c3864516bc1bc3a31cf4d

SHA256
046ea01d8283af80c0c41f40d096bcacf4c40ce5811b0854206c1e11e520ef23

SHA512
f9707700700630467422437a58ffec3cf812205a63f54e10cebb242965bb6e1041d9ca74e0165724780e75b451bff8721c438519ed015b6c175e99336889a3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
574794e2e2b6c9d8e9a365593f6fe77d

SHA1
38eb0e6a64f33fe6475c2d3dde49a0fd27168c5b

SHA256
82369daa254d9874a348f2d548fbc2a8c790086c5e4e4c2f2b23550bc3c84851

SHA512
8c3c004239c7c2f55e6ea084a149994cb4ff0994c94b9c677565304f76b2e43a13535fb3938f481765f1aa28aa00fd37a94041ecf2f0616ebf539cd18ed02905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
d5f3222071e93b90d1cd6e50e1af4df6

SHA1
d03f9b776c4825374792288b7d08835bde358204

SHA256
3ace0164e2e0ed20a4159cb06fc6fee62b84a24c0ab3aca46ff47b01a1942d95

SHA512
b84f97a9fca22b5e01fc6dc5f3347a43829d41e51bf4c210b5618e704955bb4d9d9dcd38c2f83830d6884374e9b90b73d990c386f52266c58079a31626159f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4db813d4d60d1e98825dae715f72ac9e

SHA1
e82675c187df57834dbd1cef72131484a4aa7556

SHA256
d857234c75486087af6c23795f3753e8503652da05ec6b65f607c5d408c6f32d

SHA512
d4f165940e28bb67dcff9b418aade32c4fb16a09c89f48fc2db7ecba4217890ef3c75c307e2573f7b5370fc062e9df87ba7f973cd3df0ff53f933b6d194b39c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
d90cb9706999cb7e9a0667aab2f7fbb5

SHA1
ba4bc0e1217a35c98a5f958f1f40f49d58661bb9

SHA256
7c16af4d0c4c60149aeeae5ba802a5564d164d96bc50d68b8b1c12118dfddba2

SHA512
fb0af4bc629d0109f5d51a9f37bebacf318f7f4eb6b9948dd26177900272231ef2452d5039d1ff9326796109702cd511cd2a300c874c56906af26bc7851037d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
2ea5461a6b21963140201e076879d5a8

SHA1
2838f99c82bfa162666bc4611faec77a56a3fc8b

SHA256
8004649f80c986e589ce435451f59d34bc6905659ec0009ef88dad9abb880a68

SHA512
6ed8541a66e39d78e114a07a9cd1e3c1574eb1f6cc03cf2bc8ddceb8ecb9c81f964142d3d692c4e49040a927402d7896f259cf260c15fded368c183c9c34e556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
994968d6bfc71352937ce36947343980

SHA1
41b1856614efeb78a539c434009ce3c7cc7e3bd2

SHA256
9b33986e87160f321cfcf88e6ada4f9abc6041530c59d96991dac532dce43966

SHA512
6af7c7c28d3473757cbf56d9d898d50c1d4d50e68ea68555a3a7d067816746b33508f130c70fc0653b4354681a5e4bec2d480022f506973bf7baa6dba76c8ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
1096bb1eca212583c09e2a371b8db4c8

SHA1
dde06121a1f41327936e430ccf2da041aa35ea05

SHA256
3dbc077e050df6a4acdf75be109643eca9e3f378ae475f40e025b224174c3126

SHA512
5554391845de84fbf258df2e88cd5b333e6f5a88dc11bc616aefa13b78e1ec05f6753f6429460d3804b2f233ebb27e618105ca58af4238c1cc89ab3f00f3b086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3ef5aabad7df7ade27dfd7be53b98505

SHA1
e21c851f8d456775dd1ec164778ff78bf2d19f93

SHA256
6332f61549fcb9f686fd10353dbf9c0cedcf27735e8abfe8c9ea86cc802a2d8c

SHA512
867d159816778e82115a332cb82a77fbbf30c2b702fc51e685f44d64847132aea5fdba1a14d56f6b59cef08b53dbb00c3f0dc9593b7fe2353ba4b61d74392319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
7f67539253162f328a7f8be91d3e9bb1

SHA1
32ed3049fb5d585cea7ab3af9c85a86bc120a7b9

SHA256
6e114e1b34fadab7dee068dbe7f9295e7dadfaa2e4df052bf5b0da1ccbd3da67

SHA512
1f6ce4b904a17568775644118239bf7fde7a251fddd6027d1413abbeca16c4a4823baa3d11bf0bfd5ec13cf1f9334443f6ae1a4631b4e0622bd21875ef982890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
8a7b9722d06c206bdf9c2564767356df

SHA1
6d2d2a7f54d20e248debd151c8a6854407606b3e

SHA256
351e33eb2c8154250dfe4185430e58932984a06b3291e6cab2b69b914794eca1

SHA512
e561e39c1718c42ef8c02e0ee58eb2a565eb285cf833c74ba0b84eb600e2ad53b027facaccb31f42835c613b86eef5817f5b416718e4e6c895bd96e5f4039cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e419fa07927e22b120a75990fcba3aa8

SHA1
60de9ad6c66dbfe6d7bfb8f4bcc7e9e876b96171

SHA256
836fd7519ba1eaaeccb6de973284f1ab2b38135d794d203ac6a7846dddab0b1f

SHA512
858349384104184b41086315b145193522ba76ae46895d09b6900d363adf9c9173757c8cc2a867d358bbaf87141095f12568c7071905a09932ec141141ef1679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
6e59f6f3b18547ebe2d6ced49fb75365

SHA1
5ef1a533cd1ba7d71f5bb81d9b7b7f11f3b69677

SHA256
40fe41322304d9d3296fa3d6505fe637da489340dcd4e6fc9ec9c51e962a5660

SHA512
2a2d95e99dabb5a104156ed1321f13f43a7434433b087d7676d80e768ecbb173eec77bec19930f2de9ca7e44552590f4fbbfcd6af8d0e8126c26004cf1f5a608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58c994.TMP

Filesize
48B

MD5
dc049405f554b4e0eddd2ab771f3b54a

SHA1
ee6375d3cf766e88beb5337670426da1bdcc27c1

SHA256
9218cc90da8f194decb393b39cbb746174a0657b194b2663a97f549178375ef1

SHA512
ff1f997f70516d2cde04efdb9003ca442138913c81650e71955c47fda39b7f071921059e0fa712672a99da1c026ab581f98b90f84755c347e075c7df7f02c40f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
865062af1acd5ea6b725e85cea1599fe

SHA1
9f7a8d20fc30943a46c75c0f43e691e1eddad349

SHA256
ca8b254c3d607364a118b2184c093e081ca6d932e0d4f26ca60565205a39190d

SHA512
510ae2b5ed041dc9809882f92d47527a6ba56791e72f1978d8115c77564514be3e404f80140a3c2dd75b24a687eb81e2ebaef8f45cad776796e4d6152b103d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a6c54d49711eb795688980cdca51e15

SHA1
ed342de746579878889c4daa66e0e897f8b1a68f

SHA256
832e44330d8b882e8680a65fa84d15745ff19ddc0a43b3d0ef585c1c18dcc009

SHA512
496ab0c3b24e11d5bb9a7af0312a2d55caea5bc437da671632ea6e1084a46d432453823a44fd06b2d93673ab21e4b1e7de6f3ec41ae1dd61e284af6d22d39383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
acbef1fd7464532449f39623c131227b

SHA1
9215236ada6a2195462678ceb1a53f0a10800ad0

SHA256
8cf59ecabe460773d533412a99d5bfb3e9f53c490ac695e43a89416ba1f240df

SHA512
bf8a5abc62bd7ed3d301d7bfb5e576ec48eb2c8c7a53f7953af036d42e2d1449ebc5fe58b92774278740466f3a682e989d3371f17c7556c9954663ffbb6250ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
c4f27a639fa033b3c2cbfef2abab7d4f

SHA1
929398facdbc794e55b87a114dbc1afb0ea6c897

SHA256
edb027f26359fe607319a30db0a4e39455b777dda680e2d69c9d9b383b523b6e

SHA512
ed555c73defa5f261e99d36ddd2ca7c70050b0d3bf044b18eca4a2ae5dff8b9f9187238c4f9a478c2832d89297ad248e1675885ce0eff592ace2d251409f5b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3e72bd0d98473d1669307ea487e41a73

SHA1
63fb6eaef1b8bed709f8dd19f67e930ff4df7870

SHA256
865c6177d30d225750fa5c85ee47652156fb7fd0fba9301f641ef88de938fca8

SHA512
d6a3b247c6f3c768c2f754b4ec1096c15ac53f4a79d2434d127b7be6ede6ef71040ebef567cb00b6a124969cbe15a818c80f9e169874ea5da5f327a866a02fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
256d4e0f8eaf264df39f7d59b471aad7

SHA1
b6bf4faaa8f2e6c6a02ae5f8611e50b04d130a09

SHA256
2f937ada6506bd87736a1fed6aeac7cffa78f8d7393467659a19b664f8ad878d

SHA512
0c5461a6df5dbb3d1cbcd1131a74ed34a6b481a910d912985a296e72b1177750c1b499ee26ddb6181d1fc2b1527ddb1485180dc784c90aec7ee92cc101e03ffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
955c595239a675b2027a1b03378b35d0

SHA1
733afae6a4c805a691417d69ec81a56a07ee10ab

SHA256
26abb11de8c9b5efcd485e5084fd88ab56109806b207145539b07c0c07aabed7

SHA512
3aa5c2fe18bf56eec96d64948fa6cb95a2e2d7284811244ef57f2010e036e0ef07a89a91ea1a3fca87f852f8b92b1ecd668fc25bc947bde2d35917c899265685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1cd05b3c185cbaa3ce1da10958c1f4cd

SHA1
840605ecaf756b4fdaba51052288453457e37d6e

SHA256
ef67078bce248e3f9a8e1af514839a2ac8551af33c7c63e6022a3a0eda3882e6

SHA512
e39792a4910718a42f78ccd84d436f934dd7e74a789862aea77646b77d5bee9901830954980a7000e7e99cd74326e773cf82592e7d075d2c8edc05056307fc0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7672f1bfbd4a76390b3da82d64b7af17

SHA1
008310b06fe151ac6e868b6042632c0990ae228c

SHA256
d11c8e5d693fa519a98b5ce51fbf2ece0612b66bdbcd8c1ee658fba87f281c99

SHA512
bc22d3fa25ca490f2cb8f86446bd7fdefe7c64118834e702de5a2440492d28b007e7971fa809e511240930567fe7744024f01928d845d05d40ed462520fc733c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e72942949e60ce711487a0be840ae1b0

SHA1
c34cd970d777ce97987f0241ed8d010a653ae293

SHA256
86e8109f7c608ba5e3cee6bf25fd5b9dafba6fef2f409dc093aa0a8288dc131d

SHA512
b0dd8269903a6b1bd004bf071ea3196afd408deaca5928181de6edb2945dedd85351a2f91e6303693132a24dc8bf4c58732276f5630af8d34c196dba118378c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
8078564d8ae7817008298f2acbc87dc0

SHA1
7f42bf55bca07b689bf73879cd9b72ad1128a75d

SHA256
377e2dcc5c283539fcadccaca33ce71657c379d4a8bc901a45dac7e38e4b6633

SHA512
1846d1f70473ff4e068ddf12ee1a97998458e7bb98d0bc9a42bdc850f8793d915a9c7cd51504c831196d785de7a52c5fae258a7cd4c37a5299b180a9ea398a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f9a55d8813262d6a91b5c0ed1cabafc9

SHA1
72a9613967581aa91b2f131028e1172bd8b5e63c

SHA256
02832f058e8d81200e65c525a6c3c6566280f65b4016683b8eaf73c6e664b234

SHA512
dea8b815ba12d3729bc8d77db2a4d4ff281dcbc75334e3a577308c9495e91c64364fc6befb2da0e7ce0d24742cec3a804559c6835cee685bc478366a3ad295c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589853.TMP

Filesize
1KB

MD5
b55862b2cc2cd5ec24e0747c224e7486

SHA1
21616a31e4ac2ff4653a284514057c83c24ff80c

SHA256
2797c3ce5a211ef9444cf85f6929e50206ed6e162481f38da9d111be1fd36298

SHA512
de6662930fd11796791a9d198e62867e8256ec17eaa95e197ecf10e0e32d6e0d51c0c72b1d63b9a099dc0bbb78d3137a934fe9aa5ddc3c93e0b0cc4be1721657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
df3e0f60fe5d82456481b4e4a07ba7c1

SHA1
f22d798858afea1e6204dd41044a9c6574a9e480

SHA256
1758e5fd9c0b692fd1a7dcb2e0f251734e3970709e66c2138d7be99fc70556cd

SHA512
288c7aef88cfc2083b00362ad453d19c858c51f9f4c2dbe8e7d64dcb6b855a15d1ae472b1d9d503d2bb8630c4096222d3f518ef8c66de12d312f2b3145598e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
43804ce12cac964cbe9adf79f9b2109d

SHA1
cd0c825fb24a4b6a93d3c9f479146dfeeae16aaf

SHA256
25a06cfc61f4906a48d28eb5724b65c06c38f87d8609f03ce7251f34c582bcac

SHA512
f63410d95827e323b1c0a5db763c6e1dcc9a42a6f52b17afc561e657c1532b420ed1a120bbb8cc2620ae760ac92194e4c8ad466d096f21c16d194c5dda5c3ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c675aa394c8311c08f5c835a43b468be

SHA1
b46fdcc409b1966e1fdad79f0efab29c720dbaf4

SHA256
0f94590141fd7f283eda28074d8881718055ac8f54863711280fdf8794b98cdc

SHA512
6d5a152899d46a2cb32ba1481c1330633f7cf494cad900a413b86237a94486f3c23b1661d85c630b344d5a0cb95f9e018bbc5b5161d0f15624b9a42a47298b0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4c497278d01204effdf3ce666767e5c5

SHA1
600e2b52af9b388821da38a18fc8a8403e058add

SHA256
6a882bbf7baeca3b8d69b07c0b401bd521c117e9631b766843d8012350a38305

SHA512
050e31bee7a3c3e4049195e46e6c8b5bf436f39cf852d704ecc8cae3178b651be312807a1d3efe8c3964015eeaa23d26a0c5dd825e6227e542227cb6ae661e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e7a0844a85672b2e5e262cb5af9bd578

SHA1
6bab2dc5cbe82a93f648ad1864618c84a52ffe16

SHA256
d964202eb758a07aa8e8c036f5b7e8f6fb602d788ec95475a0b746c5c3fafc52

SHA512
70e9250a59e7b5da8a811ba2c02fb2d2847529028afd2c212fa340fab73c9e02c501fc54829059b273eb92cfc5f60a39c8602ee115d967cb61ee99f18f2b75ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
8141ba53c3bcde56f7104199a9a19427

SHA1
93281bb98ec8c4997f161d634c051548233eb379

SHA256
c9b01415427e0ec3b88e5185ad74277065edaa3693ad3e246a71aae34df6d355

SHA512
8a7cf74c177feca421a59c1669456ec62531e6b0001333cb1463bbab40c6da53dcdb3cfd9c7ea62e266a7d5497f332bcb99247f4285598a5e1fb5304d60dbb85

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
63011b2844596ddc327cdc92ac7b39ae

SHA1
99fdef11c15ae23aee2849eaea9161795f4f2039

SHA256
e1755ac48df7de4802c601e4edea2392f515d641e1af9b072392d64a3c23696b

SHA512
e4b7617d4d87b26c2f06bf6179031067bdf304fd104bb69ceb98f7939ee4d53f774c1acc6f01e1e95a1edf3b436f70335bf8fe83bff7deb89dfac762b25e472a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\DismProv.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\B58CCC03-1AA2-4B56-868E-13F32670288F\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qc1wo1wx.1wd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
d85ac14871d6339c78e2a9b316b958d0

SHA1
63d3ca4ad82cd3014d54b7d91b38786dbea0933f

SHA256
f6f53e4c70582da574ce58769163c8e276ed78dbe12db6236e0b7d04ce69d657

SHA512
6fe9290f92e7bdc9fe8441f220acf9e4544c5fa7c9f4fc5653ca7741a1907a795781a2f23986fe5dcaca0ecad3cdaddfebcf6d6f0b6ebd4478caf313fa0a7488

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\e9e12815-1a8e-43aa-875c-f01411691d08.tmp

Filesize
2KB

MD5
4674c2542085bf4a922608831e7a5d10

SHA1
2371c8e58f7e04a0e3420b74434f606b96a14b41

SHA256
d5043dcead8ac0eb7216f21740e484c2b2ec89367e0a27bf1040f761815ad5cb

SHA512
ed2f3769d18e6dc2b7b9e00cb200c90ba3aa6c973355c8f17beae46645534fe50f7308652bf48e7a00eec6db9abbe222ddb7b041827f4317cb75677f0b1c2689

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
130KB

MD5
b33f2e65677a256b37e75340c167f54b

SHA1
735c404466aea6a70e653a6706cdd0b4d65c0aae

SHA256
77e81f19ef02e620898b53a308d502042b9ae732d9741b99062a1baaa164dcd7

SHA512
cf1bfefef47d5cee5932fc9cccf323f87640912225cb5b0f93442929fc96f32edccad48fd8c95def9be64fa62c750add4b53448e3e4a2e854f8940be7aaefc8f

Download Submit
C:\Users\Admin\Downloads\LDPlayer9_ens_com.roblox.client_3040_ld.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 139857.crdownload

Filesize
2.5MB

MD5
4b3458b9c6aaa39ef37fc290459b6908

SHA1
ba8b683eca181784d049efd008f50aacf5cf4079

SHA256
9bb59ea13d91b11739e9eb8e39ab243d80935310838b0f60b450ac2a906aabee

SHA512
0f3977bb0b137ad65465a38be1d97acbd50e1f57078c7bed957fd0c210d1bd5f4895b9afac8af4c202a3f905f021cc7042210fe030ff5de6e6cb7c4f90591dec

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 784002.crdownload

Filesize
5.0MB

MD5
9a5e4420fd429b7444e7f02b2b52d0bc

SHA1
056e5ac7ef1334698f4337435985a2d6a52ae059

SHA256
44ef9c095fdc078cad8648bc9ec75f744d2c72229ee427eac65fbc1859e57172

SHA512
7728f89d67bf145106d7c86dd7a1ad27aac74898210bd86d944d7a9111c41fb3df1ab2acab5a4d5bd9cf1a6dd66d9b460368c7994bfbe8807e4c21ae142f8f5e

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
263KB

MD5
791279941a442284e30964b5b0f20159

SHA1
01c432f0d7a5ae402d2689c148781348bf58ef7d

SHA256
80f5a33339611b354947eb2b02579834f54c038c9e48947fa67023c638e94c16

SHA512
e966763b1dd0f6c6710717f24698b8492559ea9f9deb81334b860ba801614fe56e636b436f81657d1ce08cf4ef2ec28e142ad6e729ea90350d648aec716a9753

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
266KB

MD5
32ee6150808ed9780388f0b27ab2b613

SHA1
838c1d2df9dcf8348972f51949541b70a765bad5

SHA256
d0a538dcb3d89c3e2c44e38f63de02ee8568c92d734cb3cbc0ab46aa648ab1d4

SHA512
1f5fd6a9823fcea2b04c5423409c3873c6665d130d3b07bee67a69e2c797c020c4a8ffe18272cf16b89574e09f8abe84a45317bfea9774670b4bb9c625ac430b

Download Submit
\??\pipe\LOCAL\crashpad_2720_QQGRKMVIINVDPQLH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1776-1925-0x0000000006610000-0x000000000665C000-memory.dmp

Filesize
304KB

Download
memory/1776-1946-0x0000000007BC0000-0x0000000007C56000-memory.dmp

Filesize
600KB

Download
memory/1776-1969-0x0000000007B80000-0x0000000007B8E000-memory.dmp

Filesize
56KB

Download
memory/1776-1970-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/1776-1912-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/1776-1947-0x0000000007B40000-0x0000000007B51000-memory.dmp

Filesize
68KB

Download
memory/1776-1921-0x0000000006150000-0x00000000064A7000-memory.dmp

Filesize
3.3MB

Download
memory/1776-1911-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/1776-1944-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/1776-1924-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/1776-1908-0x0000000002ED0000-0x0000000002F06000-memory.dmp

Filesize
216KB

Download
memory/1776-1910-0x0000000005840000-0x0000000005862000-memory.dmp

Filesize
136KB

Download
memory/1776-1930-0x00000000075B0000-0x00000000075E4000-memory.dmp

Filesize
208KB

Download
memory/1776-1931-0x000000006F2F0000-0x000000006F33C000-memory.dmp

Filesize
304KB

Download
memory/1776-1940-0x0000000006BD0000-0x0000000006BEE000-memory.dmp

Filesize
120KB

Download
memory/1776-1941-0x00000000077F0000-0x0000000007894000-memory.dmp

Filesize
656KB

Download
memory/1776-1909-0x0000000005AB0000-0x00000000060DA000-memory.dmp

Filesize
6.2MB

Download
memory/1776-1942-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/1776-1943-0x0000000007930000-0x000000000794A000-memory.dmp

Filesize
104KB

Download
memory/3020-2394-0x0000000070D50000-0x000000007274B000-memory.dmp

Filesize
26.0MB

Download
memory/3020-2393-0x00000000707A0000-0x0000000070D46000-memory.dmp

Filesize
5.6MB

Download
memory/3020-2391-0x00000000706A0000-0x000000007071A000-memory.dmp

Filesize
488KB

Download
memory/3020-2392-0x0000000070640000-0x0000000070699000-memory.dmp

Filesize
356KB

Download
memory/3020-2389-0x0000000070720000-0x000000007079E000-memory.dmp

Filesize
504KB

Download
memory/3020-2196-0x00000000367D0000-0x00000000367E0000-memory.dmp

Filesize
64KB

Download
memory/3152-2040-0x000000006F2F0000-0x000000006F33C000-memory.dmp

Filesize
304KB

Download
memory/3152-2031-0x0000000005920000-0x0000000005C77000-memory.dmp

Filesize
3.3MB

Download
memory/5848-2018-0x000000006F2F0000-0x000000006F33C000-memory.dmp

Filesize
304KB

Download
memory/5848-1986-0x0000000005FF0000-0x0000000006347000-memory.dmp

Filesize
3.3MB

Download