guerrilla | 7c7e4fd7ff311ec6383f420afb2615e9708e4f4245ebaaf734584ec4646047b8

Analysis

max time kernel
883s
max time network
885s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
16/02/2025, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ens_25567197_ld.exe
Size

2.1MB
MD5

e511e1991f0d45c438fc25e3b80f6a8d
SHA1

14422f21df326e6bf9c331229df421434bacd73e
SHA256

7c7e4fd7ff311ec6383f420afb2615e9708e4f4245ebaaf734584ec4646047b8
SHA512

5721cbcff91a82522ab758ad3ced8370abf2def8e700cd239b0e35a788957304f16dac0ecd550ea132fe17a7c78bb561403cd2a55e820d15d54ff29645d14c68
SSDEEP

24576:SUSyTxvrd2xQVA/BEifWJgc9Jp1YfWa5fqstMkReprSOTyiRtd5NBN/8LcpmZQ4q:bdLVO4pfuM+e5SElb/8amDe8hSSw8Ix

Score

10^/10

guerrilla otpstealer discovery execution exploit infostealer persistence privilege_escalation rat spyware trojan

Malware Config

Signatures

Guerrilla
Guerrilla is an Android malware used by the Lemon Group threat actor.
trojan infostealer rat guerrilla
Guerrilla family
guerrilla

Guerrilla payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002b086-526.dat	family_guerrilla

Otpstealer
Otpstealer is an Android SMS Stealer that targets OTP first seen in February 2022.
trojan infostealer spyware otpstealer
Otpstealer family
otpstealer

Otpstealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002b086-526.dat	family_otpstealer

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\FuncName = "WVTAsn1IntentToSealAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\FuncName = "WVTAsn1SpcPeImageDataDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4\FuncName = "WVTAsn1SealingTimestampAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "WVTAsn1IntentToSealAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubDumpStructure"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\FuncName = "WVTAsn1SpcPeImageDataDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustCertPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLCREATEINDIRECTDATA\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "WVTAsn1IntentToSealAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "CertTrustFinalPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust"	regsvr32.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
232	takeown.exe
4424	icacls.exe
752	takeown.exe
3872	takeown.exe
3024	icacls.exe
200	icacls.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3024	icacls.exe
200	icacls.exe
232	takeown.exe
4424	icacls.exe
752	takeown.exe
3872	takeown.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
47	1312	Process not Found
483	1312	Process not Found
96	1136	Process not Found
795	4996	chrome.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	LDPlayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
203	discord.com
208	discord.com

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\Qt5Widgets.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetDHCP.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\EGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdp6Install.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x86.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSampleDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-filesystem-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\load.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Gui.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxC.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetLwfInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetAdpUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSVGA3D.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMMPreload.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-locale-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\crashreport.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SUPInstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxProxyStubLegacy.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\UICommon.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDDU.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\host_manager2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxHostChannel.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-math-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Executes dropped EXE 23 IoCs

pid	Process
2468	LDPlayer.exe
3464	dnrepairer.exe
2028	dismhost.exe
4344	Ld9BoxSVC.exe
1860	driverconfig.exe
2336	dnplayer.exe
4556	Ld9BoxSVC.exe
4584	vbox-img.exe
5248	vbox-img.exe
5312	vbox-img.exe
5408	Ld9BoxHeadless.exe
5460	Ld9BoxHeadless.exe
5508	Ld9BoxHeadless.exe
5556	Ld9BoxHeadless.exe
5600	Ld9BoxHeadless.exe
6952	dnmultiplayerex.exe
7056	dnplayer.exe
4476	Ld9BoxSVC.exe
2936	Ld9BoxHeadless.exe
2640	Ld9BoxHeadless.exe
1636	Ld9BoxHeadless.exe
4468	Ld9BoxHeadless.exe
6360	Ld9BoxHeadless.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4744	sc.exe
2372	sc.exe
2396	sc.exe
2996	sc.exe
4200	sc.exe
2672	sc.exe
3372	sc.exe
1692	sc.exe
1660	sc.exe
7124	sc.exe
5664	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
3464	dnrepairer.exe
3464	dnrepairer.exe
3464	dnrepairer.exe
3464	dnrepairer.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
2028	dismhost.exe
4344	Ld9BoxSVC.exe
4344	Ld9BoxSVC.exe
4344	Ld9BoxSVC.exe
4344	Ld9BoxSVC.exe
4344	Ld9BoxSVC.exe
4344	Ld9BoxSVC.exe
4344	Ld9BoxSVC.exe
4344	Ld9BoxSVC.exe
4344	Ld9BoxSVC.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
852	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
1204	regsvr32.exe
2584	regsvr32.exe
2584	regsvr32.exe
2584	regsvr32.exe
2584	regsvr32.exe
2584	regsvr32.exe
2584	regsvr32.exe
2584	regsvr32.exe
2584	regsvr32.exe
2308	regsvr32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnmultiplayerex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnrepairer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_25567197_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4492	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133841796962669627"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0B79-4350-BDD9-A0376CD6E6E3}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-D8ED-44CF-85AC-C83A26C95A4D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C65-11EA-AD23-0FF257C71A7F}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-402E-022E-6180-C3944DE3F9C8}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-5637-472A-9736-72019EABD7DE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-8082-DB8AE479EF87}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2354-4267-883F-2F417D216519}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BDC-11E9-8BC2-8FFDB8B19219}\NumMethods\ = "39"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E191-400B-840E-970F3DAD7296}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42F8-CD96-7570-6A8800E3342C}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7556-4CBC-8C04-043096B02D82}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7FF8-4A84-BD34-0C651E118BB5}\NumMethods\ = "16"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\ = "IHostVideoInputDevice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6989-4002-80CF-3607F377D40C}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-A862-4DC9-8C89-BF4BA74A886A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\NumMethods\ = "13"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8CE7-469F-A4C2-6476F581FF72}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2E88-4436-83D7-50F3E64D0503}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-04D0-4DB6-8D66-DC2F033120E1}\ = "IAudioAdapterChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6679-422A-B629-51B06B0C6D93}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CF37-453B-9289-3B0F521CAF27}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0979-486C-BAA1-3ABB144DC82D}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4430-499F-92C8-8BED814A567A}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4453-4F3E-C9B8-5686939C80B6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C71F-4A36-8E5F-A77D01D76090}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7532-45E8-96DA-EB5986AE76E4}\NumMethods\ = "30"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\ = "IDataStream"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9070-4F9C-B0D5-53054496DBE0}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F1A-4D6C-81FC-E3FA843F49AE}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-48DF-438D-85EB-98FFD70D18C9}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4a9e-43f4-b7a7-54bd285e22f4}	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1BCF-4218-9807-04E036CC70F1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBox.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-61D9-4940-A084-E6BB29AF3D83}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E191-400B-840E-970F3DAD7296}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6989-4002-80CF-3607F377D40C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E4B1-486A-8F2E-747AE346C3E9}\ = "IDirectory"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9536-4EF8-820E-3B0E17E5BBC8}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\NumMethods	Ld9BoxSVC.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6180	vlc.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4416	LDPlayer9_ens_25567197_ld.exe
4416	LDPlayer9_ens_25567197_ld.exe
3384	chrome.exe
3384	chrome.exe
4416	LDPlayer9_ens_25567197_ld.exe
4416	LDPlayer9_ens_25567197_ld.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
3464	dnrepairer.exe
3464	dnrepairer.exe
4468	powershell.exe
4468	powershell.exe
1108	chrome.exe
1108	chrome.exe
4468	powershell.exe
1108	chrome.exe
1108	chrome.exe
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
2468	LDPlayer.exe
2468	LDPlayer.exe
4416	LDPlayer9_ens_25567197_ld.exe
4416	LDPlayer9_ens_25567197_ld.exe
200	msedge.exe
200	msedge.exe
2316	msedge.exe
2316	msedge.exe
5208	msedge.exe
5208	msedge.exe
5596	identity_helper.exe
5596	identity_helper.exe
2692	msedge.exe
2692	msedge.exe
2336	dnplayer.exe
2336	dnplayer.exe
6952	dnmultiplayerex.exe
6952	dnmultiplayerex.exe
7056	dnplayer.exe
7056	dnplayer.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe
1704	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2336	dnplayer.exe
6180	vlc.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
3384	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe
Token: SeShutdownPrivilege	3384	chrome.exe
Token: SeCreatePagefilePrivilege	3384	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
2336	dnplayer.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2336	dnplayer.exe
3384	chrome.exe
7056	dnplayer.exe
7056	dnplayer.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
3384	chrome.exe
2336	dnplayer.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2336	dnplayer.exe
7056	dnplayer.exe
7056	dnplayer.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
6180	vlc.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6180	vlc.exe
4728	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 1944	3384	chrome.exe	89
PID 3384 wrote to memory of 1944	3384	chrome.exe	89
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 2460	3384	chrome.exe	90
PID 3384 wrote to memory of 1080	3384	chrome.exe	91
PID 3384 wrote to memory of 1080	3384	chrome.exe	91
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92
PID 3384 wrote to memory of 548	3384	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_25567197_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_25567197_ld.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4416
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=25567197 -language=en -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=328294
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3464
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:3080
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:4616
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:452
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4272
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:3252
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      System Location Discovery: System Language Discovery
      PID:4492
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      System Location Discovery: System Language Discovery
      PID:3156
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:752
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:4424
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:232
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:200
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\dismhost.exe {680D4A83-289E-4D2A-B6F4-015B41F959D2}
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2028
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4744
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2372
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2396
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4344
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:852
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1204
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2584
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2308
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2996
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4468
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5068
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1860
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3872
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4bUcwDd53d
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4b483cb8,0x7ffc4b483cc8,0x7ffc4b483cd8
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
    3⤵
    PID:4428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
    3⤵
    PID:2892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:1700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:1036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
    3⤵
    PID:5668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
    3⤵
    PID:5928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6208 /prefetch:8
    3⤵
    PID:5068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:5612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
    3⤵
    PID:912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
    3⤵
    PID:6060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
    3⤵
    PID:3196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
    3⤵
    PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8468 /prefetch:8
    3⤵
    PID:5520
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8468 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7828 /prefetch:1
    3⤵
    PID:1364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7312 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
    3⤵
    PID:5576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,6621414472484176901,16498430282274447275,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
    3⤵
    PID:556
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2336
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1660
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2672
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    - Executes dropped EXE
    PID:4584
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:5248
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:5312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ldplayer.net/blog/how-to-enable-vt.html
    3⤵
    PID:5860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4b483cb8,0x7ffc4b483cc8,0x7ffc4b483cd8
      4⤵
      PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6007cc40,0x7ffc6007cc4c,0x7ffc6007cc58
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4324,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4412,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4292,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4288 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4944,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4592,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4696,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3440,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3276,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3328,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=872,i,14355315542358843644,6203110274513975958,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=1452 /prefetch:1
  2⤵
  PID:6796

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1420

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDJDQTdEMjEtMjU3OC00ODM3LTgwRkQtOTc1ODE1MDM2QUZCfSIgdXNlcmlkPSJ7NDYxMjIwODQtQjBDQS00NUI1LTg4NjUtOEY1OEEyMDAwNEIyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTUzMTJDNjEtMjM0Mi00Rjc3LUJFMTEtMTZEQ0Q0MTRDNjdDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyNzgyOTE3MTUiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4476

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
PID:4184

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4556
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5408
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5460
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5508
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5556
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5636

C:\LDPlayer\ldmutiplayer\dnmultiplayerex.exe
"C:\LDPlayer\ldmutiplayer\dnmultiplayerex.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6952
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:7056
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:7124
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5664
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3372

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4476
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  - Executes dropped EXE
  PID:6360

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConnectOpen.MTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5720

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:5344

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:6732

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5612

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6007cc40,0x7ffc6007cc4c,0x7ffc6007cc58
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=1784 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3528,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4364,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:6256
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:6504
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff777504698,0x7ff7775046a4,0x7ff7775046b0
    3⤵
    - Drops file in Windows directory
    PID:6500
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:5176
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff777504698,0x7ff7775046a4,0x7ff7775046b0
    3⤵
    - Drops file in Windows directory
    PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4344,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4356,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3288,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4912,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3296,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1164,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3980,i,10483308100489216699,8308534551740381455,262144 --variations-seed-version=20250214-130114.277000 --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:4132

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1616

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:4984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5288
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 27351 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93ab2c47-08f5-46b4-94dc-5a20efda08c2} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" gpu
    3⤵
    PID:436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 27229 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99f7dd61-eac5-4371-87f4-4a3bb00a6cc7} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" socket
    3⤵
    - Checks processor information in registry
    PID:6904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3244 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191fca1f-1a2e-4d20-a4ec-ebabcdbcdfa2} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" tab
    3⤵
    PID:1992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -childID 2 -isForBrowser -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 32603 -prefMapSize 244628 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eee961f-aec3-4e4d-bcae-ba89e4cbc9b4} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" tab
    3⤵
    PID:4880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4708 -prefsLen 32603 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fca706cf-863c-4acc-8aa8-3a2467076d63} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" utility
    3⤵
    - Checks processor information in registry
    PID:3344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 3 -isForBrowser -prefsHandle 5156 -prefMapHandle 5176 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89d9b5cb-c7b9-4efe-af80-1522148691df} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" tab
    3⤵
    PID:5972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5320 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30d1fe6f-2e58-48ef-affa-2b1473598dd3} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" tab
    3⤵
    PID:5504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5248 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1198d71-2413-443d-b1c2-e7e0bacb9a24} 4728 "\\.\pipe\gecko-crash-server-pipe.4728" tab
    3⤵
    PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCP120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
2513633e5e5bb34def8a71ef6e5befd7

SHA1
c985157de4ae2a333ed8ecb0747ac52c60393bdb

SHA256
35b5b42a7f596b6c0f687f7b30a71ca59db1ce4eb4e99bc0834d389e13a90591

SHA512
3c423b9f256cf49fb6fbbb3791d16403b6e4d52d74b0a0e22e4227a3e157513d0de9dcae2bbbf22ecf1a6dc5c2a1b13e276dc03ebb086fd773535d6411259d19

Download Submit
C:\LDPlayer\LDPlayer9\device.ini

Filesize
91B

MD5
dba7fefc48f3b90350effad166abf887

SHA1
263d9ceb08d10685ff4222d7c89cb563d2c411f8

SHA256
02cf1d1f11940dcc79c52917a12f52f3a0b3aa3a381ce86d86d3a15c50ac5292

SHA512
34789e652fc0155e6d18e779d57fdea51c4fc439f96313e0d5290558402d4171d8f8abdcca31d01eb5d50b0bedbaa68b0f70d47df8a4ab714a4f40e6c5a1d2ab

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe

Filesize
1.3MB

MD5
4a09a9041ad28acee09d28812027d35e

SHA1
1a44f1aa0a3ce1104445f8127d4422335b9f0661

SHA256
0f78a3b67d88cfc86cd2cdc82369f1f2de47229ba7806ab7250a7d6e3b8d67e1

SHA512
81b61c16e93b1b79a3f3c94f955fa14d78c2fb44fac2279603b81cf0d791679ac78d2f86da34b83b414dd854b7658919fc1c932288f0cbf21bba69a9141958a5

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe

Filesize
3.7MB

MD5
0234860b36d2572826264eb9862f22c4

SHA1
37d7bf02a57b73f8a83276558644d3369c2e2b21

SHA256
d34e996c9426a931de644d9540496ef54bb399c058422cab06bc751ceb69bce7

SHA512
b6057625f03dd5e36f1383f2f6baa94e454fbb86834ea20f47c027a930d9960b889dcca3e147e4049741bcfd252975df9d591728e124dbd6782e2537af4d50aa

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
04044e7b94bfbc4ca27e2df25a29d13a

SHA1
06638ce071f6b4df1c8af59bd2bb72510c71290b

SHA256
1b366f62499131960592fa7d0a8882045f0228cef1dadbc5857414e221aa04b8

SHA512
ab110dca68a556e07e248aad9c1b1c6af71beb8f6d895c5a8bc48ed6b5d820ec9d3e2e66e8e866dd4089c8105577e08c566cee504e1f31a85d33958f3eb28791

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
5.6MB

MD5
7bd1476e968973f76fa9ec4afcc697db

SHA1
3dbe37c2238b6dd37538e3b1dfeaef3f6b918fab

SHA256
c193a0c9fe1646eecf044ee9b3d53d5b2c0ae863a13f27f0e4ed58cc0d13f75d

SHA512
dc15c94000f19d96288e2cdaba21efa472d63ad78e6e05a43e23229d22872e580b426c4a30d48db920cfa93285a83014937c91205c77da9b7b7a7fea8bf7f43c

Download Submit
C:\LDPlayer\LDPlayer9\fonts\NanumGothicLight.otf

Filesize
314KB

MD5
e2e37d20b47d7ee294b91572f69e323a

SHA1
afb760386f293285f679f9f93086037fc5e09dcc

SHA256
153161ab882db768c70a753af5e8129852b9c9cae5511a23653beb6414d834a2

SHA512
001500f527e2d3c3b404cd66188149c620d45ee6510a1f9902aacc25b51f8213e6654f0c1ecc927d6ff672ffbe7dc044a84ec470a9eb86d2cba2840df7390901

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe

Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll

Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll

Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll

Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll

Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll

Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll

Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll

Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll

Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll

Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\phones.data

Filesize
5KB

MD5
fdee6e3ccf8b61db774884ccb810c66f

SHA1
7a6b13a61cd3ad252387d110d9c25ced9897994d

SHA256
657fec32d9ce7b96986513645a48ddd047a5968d897c589fbc0fc9adb8c670f4

SHA512
f773f6fc22adadf048b9bfb03e4d6e119e8876412beb8517d999f4ed6a219e2ba50eded5308d361b6780792af9f699644e3a8b581a17d5a312f759d981f64512

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
1808.1MB

MD5
1440f444ab1b89dba193f7c229345afd

SHA1
f7748717ccda941c5697f12586fa7fd1d16669ab

SHA256
a4bba1a678a3c162908e35716bb8249ac0ea42bfc651c77c3a21a021dff222e1

SHA512
83e73647d7e69641a5ade28ea73df1af48c64252f371a4eb1e5527939c16b3684a8e22c18ea6f5395f1ba57e4fdc587538c425fd9c073ff7203046179c0f9303

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
950B

MD5
3293b7953c0ea01f6b8743bcdd690d37

SHA1
6c395673c8b5b724d385bfd07c88566083b67159

SHA256
a1254be7da288937d79186354845180e216467a1dac9001a712c109a0b716743

SHA512
cccf799905352fc21b1af828dd409193f0c1bfbdb2c6473de838c1b0c4dc53d867d799a0682b554d52d1b6c3d21e08e88451cf74a66c7a50d74ccaed300d3a8e

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
636B

MD5
c22e8bc02200c96b8be8a16d8b8477a6

SHA1
bfe39479e123c4c45a3af52b5fa34b7d9da392d4

SHA256
09842d86f11972f089642bdea894cf3a114ccad0d629cf968c3d0d9228497c46

SHA512
5fc846a04515e1551c4e75bc9c359b827cde41d61942624697391b14ddd2f94235e17d1ac6fb24d68d70a1d30b94429a9cf0b7509e8616d3a91f876bac087aa0

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk

Filesize
35.1MB

MD5
c64ea0a18bac27050890a3c34d635304

SHA1
3bd73cd884f912513bbbb1d4101bfb09d73f8a04

SHA256
9b40a35e9586752910ec5e8b415f38a00d4e76f44f7c989a9adce31821182527

SHA512
8ef25837d68487ce164f4f793d7b259cb9a86710b0ab7398e87bb90c9352f87d1cff2020b5ca45c149f3b14ce806c2fdaf888d495ca2be73ecd769c7bde10fa6

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf

Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C

Filesize
779B

MD5
ffb38bf864028484e1e16cb70aa3669c

SHA1
2fc1b48a5412eb7878a5626b185534b159fb9bff

SHA256
4fa687f2327098b0ef187017d5c24d2384a21707a5a0e47d16ffe7eb74e3654d

SHA512
ad86a14031ea525689df2bb97e88bf9428960e8f0c96e1d9535cc6bdc6509a3ff71929c544fe60c2ddaf70cd89d519ae6bd4b503a9385becd8921b2d21ab2d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\772D055D5E4421B179898A4E6FBD9ACC

Filesize
471B

MD5
d3de1b9ea6f5d83ac6c075417c77a5e1

SHA1
ba664dff3f0681856f640e4a74c5df5a85390d8a

SHA256
13d6ed6c33e3c2dc710a848845308d05e40da8e274d9fac3e7d5bcbec079a45c

SHA512
119d5981b63b0752737a2a0fad3d513c40d58b83362f9cad8d9a848ddd624b63e2e41c5c4e0138be2effd453a82f1b36e50767a6b41f609663ecc06b62f512db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
246B

MD5
5f11fd091f339a70dc07adde2c348bb1

SHA1
0fa5ad27a039b52a14a3b4ed089c486b7e480339

SHA256
0310c31c32afb4cc97025051baef92859b385086d51ec82211f445d13fcdd09f

SHA512
86d516109809d84b67768e3df641ff0528e25e9382707fb4a8008cb8cdde364914f1713ce6d6a4425eb226c6cd48d1b95c338a906ff144c54d5dc167c15fe09d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\772D055D5E4421B179898A4E6FBD9ACC

Filesize
400B

MD5
7a2b8d585e16361d8c9099d8d4e834f7

SHA1
1a643f675a3c5b43ed0080da77ab5902c7086b63

SHA256
5f13865794f3fbc8875d4b9a831247155b0ccab79d5fb3c3bad776d3642472f6

SHA512
c9f98b1a51a9af6d93785d4281d60875cbd35665bce039e9cff19ac51ab48cda1e54468523d389d06e27950a80554c4d52f5d5f46755b1d78ca4f96acfd195ac

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4234cc38219cedb4e40601b798b1d856

SHA1
f1a093d660d18f4fd62e45eb097dd3995c0418c4

SHA256
5f9236c6b43c7f153e575578241b8c6556e7dccb183e5518b8dc81ed336ce908

SHA512
8018b1178b0e45c18329358ca8dc4a4634b7d26defea8980086c890b8958a0aa5e6626654ec72ae05b25cfd433e9881eb0cdf75d94085d425b57da60adb0449a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
71KB

MD5
e56d62454dff11b61f910b0fadf7bc36

SHA1
3ea3a682f6f95d37d04d5c04fa46f1bb1de1166a

SHA256
4bfa7a058a1700fa91405421b62398d43e073dde6e36b8a92de0f59419c7d929

SHA512
83e641a35bbc9a97116d1c2be311a556abc55d0c385517c125c71232ba006c895c962469be5e9adc2dd98ca725d19894c665440ef479a63fab6b2048d76848a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
252KB

MD5
8c9dd229364bc1e5d99e2169663cc8d5

SHA1
6c0e381ce8ff4eba7410c3638eb827eb629d3a3b

SHA256
81e8f2523e0f2a60de63dd26af23a0611431edb24de50ad0e226fddd129d4af3

SHA512
0ddad16d72712931a11a280d8215f1d81166924a418685c0bc7f1f482cc63132d0cfc31dd31e930e8e961d3f1bba1d8027c00508fd3caf8b21afadaf59cd402c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
174KB

MD5
ef7b384ef9ce616653339cd63fbfcc47

SHA1
8474a268ba7e66dac62c754ef1b4a93e247c4ca6

SHA256
7c1e1a48e2e7a84c685a98c5fe64ce6b1a9a8b7d1a6567d8c37351cedbc5a2f9

SHA512
0f67bffcabf279863ebd4da312639fcdb8841aa5305811d4d6e02efe7cfe03d3efb84e6b39db698db9598e75bafa04cb46b3bf73056406a01845e55ad36d10d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
327KB

MD5
ff63f4e86b4b37764a4613f0bc5c3bb0

SHA1
83fef22f6dcf3e8cb599561e7dd7f2950a23bbca

SHA256
f35da8fa7db3d564d62b5340dd978546967db3d647888c11d5e3c256a5884be3

SHA512
53348489afd8599507b04e38eaeb4f61720490bf328f5c00c2a21b03a29fdb639977b78ec019837d8e92b60f9fb5cc5e8f00920a0209c51f428b66c2ed900337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
109KB

MD5
b725677d96e32932f518ed1002550a88

SHA1
518e0a15c4333e5f6d5e6d5678b9828118167df4

SHA256
0f8693d5db21b86c0a7623048ebb1b6b3cdab15e256abb1ac8bbcc33998df24e

SHA512
490dfc8cd1d9a92ff61bcadaea3688990b13359b61461c5920860512d6edfee63c5f627537851b8aa2bcc1c628c6f10f1a98799c9a3e4ad54acea8d9824162bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000062

Filesize
19KB

MD5
b134227d02fa4d7239803d23d435f06e

SHA1
ab6b0425253a7264d8fd5996e3c066e684146084

SHA256
4864ff99fa737260359552fde612ded5a19f3c669f8ed6f27334f9cd5f224054

SHA512
d4a1059f93f5d65e7c6b62a0bf2e0888e419c0baef12902c0363a831ef966c7dce9dc87d7b8c21b0b808a9e48b829afd6c6cec3d6c99d6accbebf5492e69bf37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00006a

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000071

Filesize
66KB

MD5
8aca43d81fbcf0101c7e53ff877b02db

SHA1
1bb8d51755ef67dd2e5302f87585b0ef3abc261b

SHA256
c2bec5b217c0428bebcd6337b94dbbf943718f0608bf47edd29ff6bdaadf454d

SHA512
1a0d67dd5725f9864556ef6e26b3f21c3cd74d6b2e2b6577f416df617251d41351881da5e7e5b9d6fb042a5f506383c825cfca20f5526ba0f56bc7ba0719853d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\46c3603649e798cb_0

Filesize
1KB

MD5
32d863d5065a6bb4e861be324726faa9

SHA1
a60bf620d1caab831feb74767c28323b52a04c04

SHA256
cc3eb664f2fc1761bce8764085c79dda3ef8f85d88130ededf80fe8c39e1e44a

SHA512
0ecbf6283c3f0e26ab09b1b26193b81e27cc9408473be50fc8d2697f7236228cabe75a1a6b90e8d424a4f3e53adab511ecdbe168ce96b919d994ac6abbcb562f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\57dd09ff30815796_0

Filesize
275KB

MD5
f1fc4ec60840b0aa92366bee67b3e890

SHA1
6957265c3bd0826bc13194e3bd4eff0fb95b1567

SHA256
3560505954eb78e3b3812714a938698c37b11e95d789d09b069a4c3e8112e77c

SHA512
c233d5ce6e7c5720b14137d1a8fde14f9abc7e8b73eb8cb31fc9c769c58d1237800ff2ab084ef001880815070abf77ba85a9ce7a5cdd28b6d6c762c7cd3c59d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5eff9de487b8c552_0

Filesize
352B

MD5
695952e0a0c834e3a997266b68c97a21

SHA1
cae5cba191559ff01d0821a928ca5f1c39a43711

SHA256
299401fa7b3aa3c439f72ddc1f0c760709615240293165688261afa524415eab

SHA512
7e9c98b036e746b553d986d2f0c39d668a47a5d06c06a42192c7f2d6531c7b86fa5b34b71483a4a593c467049c842d4291534ea5f3d197d2dc7b79ba9c8512ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c8d6da7198b0d796_0

Filesize
546KB

MD5
e6f655678117462273d86214f29056df

SHA1
3e801a0767bdd3a777d1236db58ef722727015d6

SHA256
4e7de2277e1284ec6c61d66722471502b6842683b2e8c393ec0f443ea0b4a4ca

SHA512
72471786e901ef073196053c9d8b59887a7aa9aa8cbb4be1a619d102a65b2b3a8fb402d9547c25bb620bed26ecafe3ec3752464d97bd68d746cfdfd49a74ed36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
5affc16210d8b50ad496dda347c5b5dc

SHA1
17f508892deab57486876017d986c0ca41a9bfa7

SHA256
2b5a5eea1cdfc524bc330fed8acf29ca4640aa55ad2e5ae62440c7cb74dd7793

SHA512
8b72e0fcac84c97ec69d70f0082e6ea1ef77c7f879f294f382bfe82a8bb09016ee4ed61d373337da58a49beed11df373845845013c51811b8f56ce483ecd3901

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
354df1d0deeb2939bd6463ae935f08b1

SHA1
1449f79630c6b42d9fa4babca35217e38073b499

SHA256
586a0dc85697fb601825f93ea2d2dae40fc435fc74252b91fda3d1ef14690a3d

SHA512
db30ed88225e31e20f0665be6b6692e678848f7ca0bac88ddb43ee0876dee9682315adf464a5fc4668ddd2aa3e2960a76a9a776faefd131c9e447ad74a515985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cb5d856410225a081793b3efa5066e44

SHA1
a9cba04adc4fddd515ad9c39d909e194b8cbca19

SHA256
62d2bc743a4b1758947c3d71df044a6fc8a3fa193af583f4b37be8a20e2d80a7

SHA512
601101825561c4d3cdc5deab613c0df58be7b4738fb762de006d594556241adc6367cb1bf2c030c9550d005fa407a42c82003591418328e6d5709ffc033e417a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ae182c8b583374ae41def63876ddecf5

SHA1
cdcba509406991ab7b3a3de59d0bd05a1f56d80d

SHA256
ed1c18fe7d1e63337d07b858b4d071e2672c470dc039f1f6cb5074567601eae8

SHA512
c639d92a800bcab4fc2631b051a19423b3fff6a7b3e4623d7b7a1f8ece0f2118d251a593eb58db7aaf8fd2dcae0b060994bf427a0da84507a9e84cd42b7875ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
df7b4d0540a8bb812aee725cda037e51

SHA1
657845fdf1f7502e708cd51218b7fe53f446f67e

SHA256
2dfff4fa626b70c41f5f670bc61dadb2ce0c9634983bc647f209b2864f57002c

SHA512
4d75e7ed20fcab51a5323405cb11c90aa09e49e48c872e0b190a3b5cd629746b2ff7285ca10aed88febca91ec0d825c7c031bb64fa963e5be9d5d474ff867f3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
71be26afa25c8d25e346b18f79e4c598

SHA1
35784389516e5c5d8ba11a8cdbfd9c8ac1b9866d

SHA256
2db5de2ce7210fca621ff899c3600db0b485c5525ec8f1df6079b29dcca52c4c

SHA512
f711f4834cb6cf4ad12233b15febd80b8f69b25b90f3d0f7369e1e06934a9e5c86bf4b8fd2df8120d3a92bf67d530989eaa33e8b18e15f021adfae169b2eb7ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4e029e02d4e1d4be1665b8e9c6e0c93f

SHA1
e788277ab9ec1f6c61fccc9ddf4d94dd2681aee5

SHA256
37899508b0d0b32c6d1ea75df42d4c04e2069bdb58ea61871311dd9a3ec1e50c

SHA512
3fb1897f9f31f8014c40c3c8e68619ca22497820e791cd1f66be39c15ca4b0680e9a4f185f554f1b5ec5e1007eb17083ba8c98603a522688abd4e571b9c9214c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
87aff692eb4b31c176909ffd26c32f17

SHA1
841f645f803685189d1115116e234457dc6af83f

SHA256
7f8ccd35d8e45df5ea49f7921d47b0ef79fce5e5363eacbd660761401a82e205

SHA512
295309b3fa91573276cfc0e3f52da8af82530096b2106633dcf16e15e0ef5bc54b59d31d83d58f95264a0c2126b151c79f7802ed678d8e8fe6c0ca91a17693d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
feca76023184a2417b5cf50cc765f9e7

SHA1
363abe5b333210c936c32ebf82ea95244fd2681f

SHA256
63d84dbae678b474fdd403d5cdee452350c6231905631d48ef7785333836db48

SHA512
12cbf9613c3b61e7006227c26556d7bd06a3484c7b13eb31b83ca804eb1161086f413295cc1bd3826a266faa029f2720ced26ec1be7b29c9f6521479528dcd6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
792dadd38ea49ff796787e59794a2bb8

SHA1
7f0d5d7131a43b5881992f98b69fa49350fb3e35

SHA256
90a518e1777058acab1ebe7a0532f3a0c68bedcf95d3adb2e6f30109c706e679

SHA512
b6636a4ef8459185d100461420d394fc77b8a4186d976861e1956b2969cf1a87f43e51a771d893170e0d5ffa88ec53c730c13affbe4d217f4bb2842231758594

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
090a77fef7efbb0278c4c59987c4f846

SHA1
c7106bb3011abdaff00e43f698148473fdb6db0d

SHA256
0f2619b3154b838de2bd3d68941e34d95a28209e5cf8a65e6635ce0c598218d3

SHA512
2e1c5668b64c5c131726ffb820b8d7116d925b0cd536b96db30bed5d84bd0f3b39d301db00c2d8bf29cd585ddeecf4b740c8e14bec2dde0dabaf0f24f2acb225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
0bea2f847f8ce2f91f2efa3ebcb7b199

SHA1
67873e7e8b5bcf4c64ea42fc1e4476676b760536

SHA256
798cc34e3323fd3b1d34a2e1fbc12f21457c526f66df80ff5ed2b08f897355b1

SHA512
04cb3839a88fd59d95c488e9ad596bf9a85d50fb3ff657fe8df2697a14da0ed1d30b618fab548dbdee0124c5054db56a97b59685ef19443143b8910128241a81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
b1b0cba296b5e41acc7a8b8fd94af522

SHA1
1f9afbd08298936332febd71a7bf0861d642c26e

SHA256
936e2c4532d53d78bf58698050bf1bb19c7f04d02b48d79879a4f92dbfab87e9

SHA512
e98712e432681f49a7a44c418fb28890008d2217fa38f85d9579059194bde24397dc6468c8d58ff469b01b6dd924d067224d0045cd3a065d87571f0eba2fa9cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
0f47754d878ab9807b3412f474e2042c

SHA1
74eb0021eec61a79dde559895ad9ea3ec18483eb

SHA256
7fa11a5bee0339b519f23232b965f42aac054770b1236b90a1c17bd46e05ab94

SHA512
b5bd29cc0ae21b0555486c6802309b88ca4cc6e7213b700babc3f29b2094ace2c4b8f5d66e7414cf675fead96cf16cb5f3a379397739b88df229a13cddbff892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5fe5c5f7efe86ec7defe4b75b49f2475

SHA1
403cd988be5e35f4c66a403a8fa2b022e3407cde

SHA256
8a3037a7a302834c8a98fa465ee82f020e889e9acf8640041b1668459c11c470

SHA512
3c77516d1e0cc00b0f7cd20ef06eb8f0d8edb6d5a129bf5ddc132e5f7444cbaf1573cdb7e8a4cf2b23eb8d2470f37a39d1268804079a873338f0800eec1f1ec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
a710735d7dbaa3f93a9e2b7faee4bc6f

SHA1
2510fff2fde627c13d620127092f8e18f8b7d93c

SHA256
47dac0a5e432ed49a03aa6f6d04c0ba942c18a6ff842b5908353e70ee6a4205e

SHA512
90d62eb811eb6976f28a666a142a3b68bfd64ccf09b03e379fffc1aca2480f800d98e36944fe47263754aa226b3aee2f8816d4f77bedbc431db2068e9725c620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
f014364d838f6352cba10905287fd448

SHA1
4630d4a361745e8711ea33e57a94ec31cd007360

SHA256
20bf912e428b37b8b14a3e9505d7647421ee9a5ff9c2c97d198a858f9e2c7b18

SHA512
6a3f0b4615fc81ebb471f525c0a5ae8bdc30c588571afb101f1d7b18009d4d2d7b536d20dcf762d18551c17feb09d91109f15bccb4dbfbb490f961b6a0fdfd8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
02b05aa0bfb289054e1d9bdf320d635b

SHA1
e1b8ee5725574cc9794d43c316d1b098df22103a

SHA256
184534d6165ad52bb109aaf8044156359d24354cca64c14ffab08883a96f2588

SHA512
f2349e6140d9551cb5a80efb1d35e6bd2559333fa1635eb74fce1d5bcf613c07b9234cddfba6842f374c2cfd10ddbc255e4c09bd4c36876780834389b5c07323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
38fe4f28a49eea3fe11ba23b538dfb4f

SHA1
7f1d96be05592bac118e4839dc374a084f7bc325

SHA256
38d7daffedc32dc9a389ba8a7832d5f512a5768d6fa4ffef1b63dd6588900d69

SHA512
22057524a7e15afb01e4e4f3e06cefba6fa08d41d00c2e8a3d0edede0dd67a926b933f4b90a223a43f837764827f452c49cfbb3b7f0f9c1c332e131b00d99dec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
aa5a99a12467085e5c82ca1728b21dc6

SHA1
c56e9cc3e8ee444bac8b39ca55f33824061abdb4

SHA256
19785789adbc38223bba03d4debbd92e84fbd55acb6eb543d96f30fd903cab9f

SHA512
838e57d8dd159511722b2adc546a57116fd2610d47cebd3402cdbc3e4561ed22642ae1e6fc9060311b346405babd7911297d00ed5b6be624c681a868ff06a7a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
dd7905f25b84dad1c3d15d3952bcbf48

SHA1
3216b73fa62858bd329d61be06f85560ec6bde52

SHA256
f6cc9065627b62f509740129e27c91414eabc753abdec609dfc226c3d7947f91

SHA512
582d36ed964f51b436bc6817c837bd1d6f51c83bed929e4e6b7ffa7b21e32699bdeec8688850e19c1d41b4a4399d5414501d519243c5c2e07c7ec992285eb2ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
95a043b78c621f26ddfc918467332746

SHA1
cf06b9b3fe2ae847fcac269f7e62d963977b9a57

SHA256
1d5dc147f7d65bf8b9dd439b968e0b9b0970257aeebbfd0601f61414a07c71f9

SHA512
cb2e18f90863a2899b994e3bfbbe5de83e7af70c20fc346e4db64fa2ee9c6bfdfac491cc8c8412259d92c4a4496d343473ac0cb8a102c3b9f351fe946f3a0f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
85b2bad3bfb9f0473f07bbe89c3575b3

SHA1
67f632e1cfc60f652d3f8d1ce7e93f409f647cb3

SHA256
78dbdfc3c3d92c11135e3db4851d1c01348dc1a9fa48b687c5058f0b9410a686

SHA512
5fa6f9a77087a561633eb12c8bbe724679b661181a3be9c5a043cc85a14ef88d75d9cf35da3046a9e772327fb6aec57d97810240fe3f5e1960a1bd40ccfcb1e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
19a4b11ba0ff6579bfb6b4cb56f43793

SHA1
a3d45782b13ec31d6d3b313e9d8afad7f9696ebb

SHA256
bd38fe1f9aea004643d274e7d173631b7e79f0ecce171de5d83f1062047a7ab0

SHA512
44b2e72aba89c2f73e0c866a479257b3116dece7865de94e1987dfdfb716a90b1b5e91cc5ed5d7b9b1d6b05ffc1018884f65fb656c9c49b6c8ae9be1187b5f40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
4f6c13fe2b414f229bae5cc185f15ed9

SHA1
fa130c7984c7a1681238accbbb08a6e6f5428a59

SHA256
d6c61d4023aeb13cc6ea49aeb4734eaf60fefddccb625e6d5175db793fad9a6c

SHA512
732d18a4a59c6cc82749033c987447973c825fa637bfc77e923960f8bf5c376ea6ceb0156148d000bd854e1701f6a39bb6d078472beb0dd20367d37b66eef0f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a218111e6d0f51b491f8593520036057

SHA1
e15afaa3030386062b1266cd3a68cd0b243fe6d7

SHA256
e742f86eae0a79e9fb5005528ac754f8ff5133a747a75a1b6a7a9a8978c98aef

SHA512
3ca55a43d762418a9e7f517fbc4087719431b1e19b55bc09d3d5e13af5714a6da2183998531b1c1d77189e01cf55540ed5b67d3fe733a17665ef98a278c2e63d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
164a1d4c9fa58a20b7b515d8ed7a1bcb

SHA1
0cc0f1c5c76ac7daf8d1a982da446f707c8e40da

SHA256
2d34cd0aa31eaa2476f73ae3f06feef2bd8145aa583dcfb69b7955471e03575a

SHA512
8ef2f9b39a7023da23e5b9345ee4475425c7fef9448101da18bd6d202c37b70ad9b3d568d80a00fae02cb43855da61d820a6f70329454014a874d14a86d69520

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
1d0f998e093a258da122767dc664d812

SHA1
2a37a3840285e6ca2ed1dea1c8f22a6eacaf9808

SHA256
2143aac6ebc9b83b800604cbd716ab58420d2a709f103ae22e4808fd4b499551

SHA512
cbe79476cca06a0d11dfab2597200668cf821aa314220a4de8487d2e24c175793ef4a93413fbe9ffd0a4cdaa570cc9a7a0d404dcf78e95480ea62af1ac9c9a45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
f03831cb72585c5839d82eba0cbbc2ee

SHA1
3d60058d9d0df588eccec223d26a783bba7ce5ea

SHA256
e21a7c7665e32e6760ab235b23eec6cf39394c0db98102372ecd55433c1546a1

SHA512
8d776aaeec0713a83dc66265ec481ab9eda83a23ccdfe4ad6cd33832a7e081e0e784931eb41a186b21a96c2b6496dd2dedd1a289dd24f6cde0d41d9e35caa22f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
977767c7e750e8f1dadaadf0f3f1f75d

SHA1
12ea5022fbdc07bd4f9062557c834bfbf6daf1e7

SHA256
3477c36e414ada978071bf6282ff6d4a0e518883163fdc330dfa0ae706d4cc63

SHA512
56cf1b522827b2920507fe318e6866cab62d22a4446be604948013dbda2a65d5c2bd11d8933be4666c3e9757b4969b4ab6627eedb0df7afb2a478a75c63c7054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
0b45ec83e0d5d60a215062226487a0f2

SHA1
0c4e21eecb1efb97660a2c678e539f0e2c4850ba

SHA256
12877aaf61794679709ace9f5b8dd802f1944748fba911ff0929eb0a4da4d4b2

SHA512
e2347a5d1610ea5be5a7d01ef0f5e65d5c1bef9c5d7683dcd337fe2c1e494e992a5c81ce63bfe15d24e2daf5ff67625d02ed096a427097d4352197960985a5c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
f82cb7cbb9d13987f3d9d489721c90d6

SHA1
4031f9fff166ff0a63383e3e5f8579526c8a9c84

SHA256
f4a056cd06fd6fba7ec01a9dde9d6a07ecbc9ef7e11f91f896903ec1110c71c3

SHA512
c9c19b6e12f35946e9d62f44712b0f6bdc24d6549466efa79d53c8551203ae5bb78d4d7b3e84b8c7432d730f18818c43c386d3cd39f547af63a5279205988d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
f4ba83c3c0e44cd7ef527b4051d4705d

SHA1
6c3f49aa0fa8d37f057608e706ca034eb9190820

SHA256
804f22e2c16b1b4c23e10688f59ce131bbcc0ab349b8329bb930350b31309cd4

SHA512
11659f4300e5d3e04033b3689fd1d39288bb45753dde4ca4f105d5119c9fcd4ff7494930ce402a8388614a5ed24e636335dcccf9985a3ac548e79e27dd57c794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
33bb4105aa8e81fe44c9f95b87711ebc

SHA1
4e95032e0a8b1b4005ba31ab7657828a1d18448a

SHA256
818b7be881c441637f11f43be687f3f23d6da1244cf555439c0a2e665e99a330

SHA512
8b89be3709e7ad0f54798aaa0146ff211023b4508c23eb05d53d10ed6111f84a35895c2e1da99e4fbfe0b43d412a01447b9ad4c93a3c78802d5b33156b0bd0c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
46a7d1d370d311c9f9d8ec15cf63a23f

SHA1
2f402f8de0e32993dd88b70260a8b2a5b98606c6

SHA256
1f41cc6c5b4a38a9a469d8d33c2ed54991c8ba197e15f6ad523244856061c3cf

SHA512
8875fb8bf872c4b7f5f7b66f20ae85cbff520c0f4b2646dbc674454af6f4cc494ea6247e10b1da50055914868d031bfcfa5283db250343ea5f028a7a5b7ed09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
25495ced64e4f019ac7cdee4bfd88fb2

SHA1
2a8ba99daaa8d155568920210b72cc691b432348

SHA256
5b6dde3fa84a30cbdb112671c9284fa8b69e8c8b634b3e64571ffcd4d993cfca

SHA512
1c166ba5babb99995765fd6fdf6e75378e44cf28544dd674705a9748c2d0a3e425399a433892f6dd99160bd55f332026c63014fd1e1621a0c1104d30835c3802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bd63ec595a420e3ebaa34d84c2dfa2b2

SHA1
0c927c751e7ab3d9c53ebdb06063edac8ee5294d

SHA256
2908e87174fc8dd24bac7b7f151639db8d3b25fb80cf3d5220ff55727813f03f

SHA512
77a5dacff62be28fe1fcc82a2497d69c7987f3093928f49e27b11aaf5f957a8880a046a5a6441c132940e54031986f884dac58878d34f26b2be46c475908385d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d613d378199121807d20934a2abe7ab7

SHA1
42646aa0355847b3f07247d101a797cefb44c0ea

SHA256
92a47ed08c060587af84bad28d6059e3debf9bc01a3d90b3729f5686fec5d0e1

SHA512
8f932f451dc4ece54ac13cb92c9b5e7d5c45b513ce0d1ee6961a3ab34950063c0edd096e8cf0a99b1e8ba3fa830f53a10798045e964625e3b223c183a6b6d797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
088bd9f9efd4d51e3d0ecd9af798f74a

SHA1
5313ff408ce2d3d6d340b025c11b7ae0f49583f2

SHA256
05f46d4c3f05ae0a7ea94ad75c529ad3bf56d49cd2e689d02f88729b56227eed

SHA512
9726cbb0e34cad9192dae81a8011045838092bdb784c347e1d4c83b48ac9bbd0f395f7480308224746c147d3e48a6673f4ce55ec95e2d03d6295d9f042379e64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
621d30b7001ee606d6c3b1bd961f3ae6

SHA1
f6a72f3093ae7940e7cbd965ac50f8914d9d517c

SHA256
d29755b86a56130b0afbd44e6547514108f1a278de62ca09e4aa65853c8dc471

SHA512
6b4403a066cebab7e2105939995599298696e1f9806a3bb9940621c7c4457ba882bea455bd6040112cd6cb48f8db8d890a009558a61b27560321ba2552dad71c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
833ae000ebaa8bb40e01737b5ad0a722

SHA1
ca8e623e0b2266f3b037490a4959e1441dab63e6

SHA256
dffdb550ddfc177767d84c01d6869fb2f626d4ff9b86e9b21e15c90d924f8afd

SHA512
66ab2895d99c6382201f9185feb7001d4fae47d53f7f89d1bce3dd464d0ce0517e105c9aa199926d43de8a1c6cdef43a74dad3860ae2d77236c224f3d72bce2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e39ac5b4f6dc065235e889bc444e2c9e

SHA1
0138fd735d1c2f6700eb9acd49e96fabbb9e4cc8

SHA256
6a1c55209f70f7b4d76a396ebcac1dfd87e582c415880377c28033ad80b8fb9c

SHA512
5e1cdfc5ad6433c38e40cbcbff6af6bb60eeb6f75d342ce0016e8f1ac27d9e2e4a780ab6bfdd82bf6e4a93408238b0c8d825e7ba15139f7740d67c75e2069217

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
825550e40c13fc9db9645dc84a2c95bd

SHA1
06198390d9069d510a06abc10c83f6677180af86

SHA256
6692a731680dc40add49bf139b62ddf3499b06434a1d8047340ec581290e5ae7

SHA512
76ab62167fc8ab10b3fbc24946e9736271efb8685093c8784ad1244989ff3b47d518f021ed57718814e35be9c5a8399fea3fa7194aefad2419d92e8c90c2228d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
40d32b6860bb0cf92cfd2f046a83ed8b

SHA1
84f3aa1dab199d528cb61fcc1aa75c08ee417d5e

SHA256
947835302421d46f777e5384fbce70bc6c6f4b1cc2cfa07aecc8d0fa4fec6eb5

SHA512
c2b83528a717c10133fcfc3ba432917f83ce5a78339f266833c139386a32d7b0603da51533fdb02ea44ba9b14063c7bf1db01adaf16a4fe8b5acd2fe02ba9e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d311e3eba0f3c508906fcc83ca9faef2

SHA1
8d9605d103aedc8fe88d1e7b297d4e4403b7038e

SHA256
c6047c0a0363a8fce4c373bcbb3b309f4b5505ceff4b37508676b9141d59e8c7

SHA512
84ac6c295fe1c6535558da19d6a5074a738b64f8017954d443a6b5cf79f5c8e7c6b93d544718e0b7837285e06960a2e25d9b3962ee8070b2e96307e3871c4616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7bed4391c0de047a53bda362aaf49d62

SHA1
95d7fffe9215aa9e116bc61d04ce5743b7fc2429

SHA256
7a6e7ae0c2cf2168c845817575a44a53fbe5974e686b9db6cf30fa9c13ec6331

SHA512
07dfdc8a0af5a701c6bb846d9c34e0141ef0b0100496cd12f4bf673bd90fabeff281b6cabfee3e2c052667ed73a5970934ac2473d36b9df665f16ba9621a14f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
161bda5f6870a9f0884f0452ba21dc5a

SHA1
584876c59bc1554b1a26bf9c5d43d97a0118dd63

SHA256
d82bee2cbae2bc275bea2c75e75643927635f687ace55eee1ca51a1be419dc5c

SHA512
6e0c145836ce568b362e60b1fee2f6fc1b93b758bc5c95da2563420cb7a9066c217ded4cf08b510ab7a1342e8501ed2d02db6839fe00bc3c45bd60d6c611680b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f37875bcf106cd04e098590ba12ebb3a

SHA1
23bf5a49359ed4b4d267a3eeecaaff6394225fb6

SHA256
ee9786f51c35b100c9e51a79d863cf4885c89279f7abfa48f181af96d73638d6

SHA512
9d0314d744fab8158d1f60c43725690477737563fbff43d86ccdd2340350c4a49449fc1ce3e657536b820e5c856f882daeb65f3d2c4da34c0b7b82ac83d35feb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5cfa4a2caaa722a7856de0e7e4b8348

SHA1
54c12da0c06e380fc4867f40c7e6352434ee633d

SHA256
2e7fcada161300559edc8b9e04f52ab8981626daec83ec380eb3c1d25e3d29b7

SHA512
7e157d9df5b17b714b2309c8b6287d3da4786c200220866cbd948c38bb58af66ada4b3c1ee08fb3c9fdb30fb302e79f6eebdf10a8bfc7f36e52948d6ad58b81f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf112afa9d662af75cf78c944dcd86b5

SHA1
e486e3d43e461a7277dcaf4ad0877839c2e344eb

SHA256
f91d3bce84a3dd29283313d5902f84cbe1c9e6b9502cee47a0897128e71a83d5

SHA512
42a131d5daad22a46cf3e5e4bc14734c80a5b65201f6931d9409d342e3b47911bbc8c9774005f4c745e89b8d9ac8493423c2c7b3f5464f3832ecafd17051a14c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a871b7ab7cec2ef13b257012165e85e4

SHA1
8b8370fecfa03acb0b60df5c9d3c448b2e77587b

SHA256
788d925cccbef85fdebee7b52c8b76a1ea629664537de44106174b745f931a78

SHA512
1a7e4088725a5c8a40edaf5ac3760a2df014df51b746f9d9608ad6245500028c118987fcc00859f6a85ab367f062de8eb430489b34443aae49a3236d48cba397

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25b77d66e9fec46fc09b9be15edf1f4e

SHA1
34be46957cf31924608683eeffd6104d33835820

SHA256
ed1aa7370c3a7f26f438c8c65c0631f1193da4d35bda27ae0d1e36b435bfa153

SHA512
5085f670f347535bd99287871eac344fdc35da571c6be832cd71754e56c2bd605698698fd4c90d5fe70d5ae64221505ed98751c0ccb6fca0350392ad8530438f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e44d05433e440b368a644a66ae67a0ec

SHA1
99afc87961b36d1f2ab23717e2a583e61d0b8f2e

SHA256
24c2ec5a50bdc3abc80b2cb3d8cde51d22e8ff6739da4ab24655892a20456da6

SHA512
bd297808c404f36e752102ceb12c29b03c46d19f4a83ffc112c0f9d2145af3f0d9062e1731f779eb4e2a636a0ccb53310b19985cc89d42cb4008e5144d75d9ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5afde0705730e75419eef6ed873a150e

SHA1
b76650f6268687b6ee469d035c039f45061ca4d1

SHA256
89d96e8ef2c089ac679639d343e3a0d9a212b7cf189c0e939f7eed96e8be6443

SHA512
058de574d45505b06d776efd05a31e013e725eef14e69f01d54381e2b4293db418afca78040cd2d11867cf7d87dd4d8070c6a1be25b258373d2b4b94a9e66862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7126d9d6348c95abb55aa3ef8b1acca5

SHA1
c222ab6a09e026a3fee1b98a6e059576eade6e44

SHA256
76d6825768166f4011f60ce15e4487a74d5218b13fc365d0f3dff276e8f5f43a

SHA512
0236b0c46556a4187eef3d0867f51f70d2b20785e895e905151f0b1abf399ee5edb8831f61ce7ff5a93a66f65962de887f254ffd8a79eb1d109c375a2fc4c534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f88a52698acd15c52885e413bb0e66e

SHA1
9ce9c4cc14f4872c8d004041af187623c4792701

SHA256
c9c69d4b92dc492f7a725521541906b6a638500f8f2ccbc725c80665c8a350db

SHA512
59d02006e84169d2ea630df9140d97693cd589fb07aa1241a665c521c898037066b7adde2f3309129370255ff12c1cf425c120f613eab5e66e4a2abad9d98390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0fc0995396352ebcd2689dcffbf5aa04

SHA1
f10c4fac6339dd66b97def696a0303b922ea0966

SHA256
bb7b2e054fcfbb6315be0ffcd29c32261cd3b8daeee9cedb85d3aa27c8838e1e

SHA512
04ce4eb47b7ebbc8e5aba52e7559663ffab7e7d547453ffcca60cf07b862582aeae9832f73e26a17dc7c3326067f7d5fb9c5f365f3806489e6d6541c58e60dc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1daed599a7cb8ea546827e44381f5051

SHA1
82f72a3a75711c48307e55f8043542217a7ca27d

SHA256
0a0079b95bc9fe87b59c6aaf9beca3d4306e4964fd8bd7b689a79db3a6a5865c

SHA512
3b314937a9488d3ea32a326032dc52c65a6b736256dc4bed8eac6a393036bff0239c99af7ccdb6a3bca641744b6b0d08d83910bfca882d571090935e9f677c0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
66f103c692140309f01703f6c008b53e

SHA1
e2e02d06fc5faaf6c9fb9726b46dd61264dcfefb

SHA256
0581dedca0996dcaad0bcf5545c860dae75a625eee2574e3190425d000b3580d

SHA512
a771af562cecc31182717827fb9cac626afb0b0c984e34ab8770eb73b9c88fd27a61f1b185d88a005525dbfb73d472e6fe6565d17d9df9dd9a254a4f0a3cf108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aa1a012eb82fc9d69e45be3159c854bd

SHA1
9167d3171848a8bee4ac4e24aff3b696d449b15f

SHA256
af7ed07e71c17520a6917e643b7e8e657f060df3c66de306ade3bf05cdc90492

SHA512
bffc79a9ccaedf302fa9ecac41fc0064dff55956ede2d42282e6aa7820b3a254b3d799b8ca8cafef4897bc47fdbb3610e5ee8d5e321e4bacab2a301e12f3084e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d586ea0f9b96d141fe19940654833df

SHA1
676470fa119fb03e86e7572b00c5820f4915c8fb

SHA256
59e43a722b56ec6ffec6e1e59726319ad1be69f32b4883d87fb56bf951a6e11c

SHA512
24178099faee12d44de318c90e22365dee90d2beaf3c99811555bdc069ac480e73677057212900be038c64ba1f220840366947402d4a499c501f240bdbac4a19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
03a7a1679919f3acfb9ee54e466354e7

SHA1
9d8abc14779a8a34bf3c1b6612b2442378c807fc

SHA256
679eeff966dcb5026a682bfe75ca6eb67b33c8d242348836bcaf553524813366

SHA512
e0c148690a496a26b9e1be9ef75384cf1ae5c50297e346c52cf4b6d66f6759494209bc86ec5f9a67ac386640917c284e24ef5d4e5e305fc84ccedb774b65b5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
045a1fb93033700abc2add744311d8ff

SHA1
73007921dcbae0c974f050482cada2a4ee80b046

SHA256
51363d292f01178c56fecaaab68f76c5d06a02f8cfc766d81661dbf60bf7afc8

SHA512
fdc725511659a61a0593cc3a23bb9499230c0cd780fbd36259520ae236de742787ed52618ef2ef510044c5a306784236a1fe509ce2ef97698635edde0660fe39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a8cf0b0fe0226ffe93fb5bce2a906928

SHA1
0f414607ed1464397d31e4fb257f4eef1f0f5e6b

SHA256
c77ff7950b9550daaa0e7eb4ac25dc6f5bec7acb87d07efe56368efd246a24d0

SHA512
9c990daa8dc895feff6a66ba1b6b4dd4a0de3bd89a0b31a93ea26dc06642d88583d4a2625b675c4b644070e927df84abe23649f19fdbe784ce7fb4466155301c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23190a57eb16d55b9fefc69eec6a420f

SHA1
d7a049d3a59defa09522d76651d87a045ab24f98

SHA256
d1eed85eb1d744ce4279c5b3f9e127e790e8bca6af29ec228e32c853f28b5cb5

SHA512
4197efe2cc1126d59445941baa492dc7e94effaa9ffb516f08925956e7b79f334976503e07e4f0e2a1d6c9d11dcb8533f7aa884f2ed5fa0450a1ea40ec7576c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b30f6e52721d5f4519cbe75575a44840

SHA1
54bae9687adfd9e4aac637cd8f7466b687a4a920

SHA256
2acf467d4163e4d2b165541927621e3e42723188761ae501265769de75c76674

SHA512
e888cb5fbf6ae71d8bee80ab6c977e30a063157ecc44d7a8fa80556a90f9c9c9ef4562135ad872a8c5e5bb7675842ff7ea1b0ddbca08a89a3e30b7efa3ca2175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
90f5b7888f9306f886a8a10e4e539644

SHA1
ad59baecda004ec50d5845e52085494bfd49e975

SHA256
005e4ad47f518d4152dc13a8389aac76b4303b555c1046dd1dd03936e821a4b7

SHA512
48005f723691e2991f2c5c6427ca07c56fa63595de03bd11962b8b03b43bc0b9adc961048e9618a0fc22fb3ae1e29fc35da8f603309850e7c92eeb653e2e5dbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d3d8d7f26c2b39c1ff3d95efbf91fcf7

SHA1
c73869530b765e02dae102ecc807c12b2a4ffe57

SHA256
8505af7260459ec799f39b3f92692f9d08e671c27aa2acbc36ae065f19acd946

SHA512
bfadfb7c87c44828eab3076bd27b6012eccbb5877411df6d2917a93f2ac75eb01f2e0db052a3efa1d85be0afae15279ed163973099b73509deeb453d7f9b2818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c9764c46ae4c84dde4805fa6ead21f38

SHA1
954c20cfbd2d2ff5bfe5c23b1ca3036c534a5a96

SHA256
c18348efce152612d42039851f7807f3ddeda59b0110741935c484dff3cbf8e4

SHA512
91549ae4cdf5dae12234c3c84a5a8cd335ec53ed7313d58260482a4251874e2de849e65cb312beb4c12a618f4d3a6beb4f841fa84414e75c3035481aac7dc45c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5db6ac9fbc6b9c2c308151c3eaf77018

SHA1
13d4d109a631661374900bf6afdbeb829b09ee43

SHA256
00919340c3afa1620b9dfe850ee4c24d665db5d035047b1a7b1eaba211acb006

SHA512
e86d73ec82e4892dd10de51d4416edb4bcc05f1c3136b2dab4495e1722bb0e0250974690bc08aabf59c0fc38f0d01706c103776fc41886d653068709632f4c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f34a1ffde6db17665ae9b9a6b82db9c

SHA1
7ecc1509dc3e1049c742168dca7bf27f22f1359f

SHA256
7851acb69f80c185be592a0310e9eb16186f9811dc1bdfad4af730b70112396f

SHA512
1ce3901ae3285adb96ecb43309d2ca57e51d131ff51da8841e491e20cc20a5ec1c56fa0da9fde9f06866ef76f5c970118faf1b690f5b835129deb71097075421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f7ae61e935dbfdecc7c212bb45d1f78

SHA1
cf4dfd0f73c80073e7a2dd3a4e235e022aab8668

SHA256
93f7423304d5508c66c067deb8820c0fb39ee53c54fe628ca4d168c0a9f1ac82

SHA512
0a56917e2339cdaf731590b0da24fb247ffd54e7a0b64efb1d653fb0a33cff7ab810cc2cce6a46a6bee75bad0150d65b6df0b0a6bc2fcc6668010648376253a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e31e525323d2c603c3e72770b1dc7f1f

SHA1
2eaa7e27bea94d74fc39dd65e9281620727b1416

SHA256
09090c58be0199234ea9b1faceb57531f28589947665c09a49e0b043c1ab6f51

SHA512
1450b4fa4b955683bcaae427e0a4caaef6e45989796e8e828771aa73f9cbc13c97e826839f85b4f0eb1a687b3b849fc92ee10399fa6999f69a3e7f93e9069d49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
140B

MD5
b3d0f84709a0ad15f594bd4a05648bac

SHA1
82e2e84efdb3a0a412a6b079781f324de0afd755

SHA256
26cda09fd3168b4b1c752e71dc008ced29a04775a336f7b11e4c0f59507b73f4

SHA512
bbaf8cc9ecc447ad6f35ba0692dde3aab38cda9bbae178c01be99754e85303cdc5b2a5e5c44fc113c18654d1bb9c52a9b71ea2bae874d6cbb09fe3d98d81fc64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5a2126.TMP

Filesize
140B

MD5
3735bb8615ee6f6d716803f265b4ab3e

SHA1
66b05812092a5635a733cf1dd16f4675fd44682f

SHA256
689d6d4e3a0c423cb6a41baaf008f791ef6cfe18ed2279c58a29f54acf9ca9fa

SHA512
c3a71f41cec31f4dc2a1857095597d56418ba4c2eaf9b9cd8e3604058df2099e9f1baedc21669a52e548e89c847ce6b64f760fdd86f873b101868fac106f68f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e0508277-274f-43fa-9e0f-de3de5e4aaf0.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
b3e1721a2c6750d25f4d21c3d4f67fb1

SHA1
6cd2921a186e623255cbee361ac3d588a54d7335

SHA256
062d00827414b5191197ec8e117e1f47e78abb98393192ccf6538bc0b9f900cc

SHA512
101f787e37f2a2d410fbb58f34b2e7b981516ba5dde384aa40658404a458bb800c5cca5b5c75751ea64c6e9cb65a23c4dc527b52a0aa660856ff894a397d2a4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
8886af7332bc4d4fb839606139b3cd4f

SHA1
56ed489aca0ecce822b120db4ba530ceee3a5d14

SHA256
e6a08c622e4786e71e96c52b49608d3e9c58796c5e47da731306c77e39a8229a

SHA512
5af32755b22d61afd29c07ea32fe297bbf58f112acb319fcaaf2011bd1ea735d5d367881754396fbaf3091ed1e5c516d09a888f3f8cce5f1dca9d804cc6296e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
a1036cd6df13fab4c370c288177727d1

SHA1
9646d6add42ad0b9476516aa275b939c3b132608

SHA256
34f077b612a7a080499302a8f08acd04d82b97673b46dcddc6c382f750d8316b

SHA512
5c4a9544cd6ab4be5c61069f21e5f77b96a4a7040456ee5ac3538b72631cf4705c4eaf5063e07749f7ff08bd8e90db88fe8a735207c6938a2b2670155c03abce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
6f511deb92bd99e3c876b933557fb561

SHA1
531a75a556938c38ee4ee5cf484a1f87a97bac4f

SHA256
a892a631dff7caf8e84205ab1eaf9a5ff8d5e68e5ed145f1c120e18560b2399f

SHA512
56d7fa6462321586f5c7c495533cc293de8b783e3f58199dc46cc870ae34a32729966666550852c8e04a895879bcb32aa2d1261f820d03eca3edc408314f5bc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
247KB

MD5
57d55e18fe73736dee5e409c0002f184

SHA1
1298adba02d57dd2c48d922cc89aff1321795777

SHA256
74599f79b95960891181bb433a79f6523cfd477dbdf2d28de8526ef78d5b5708

SHA512
66804db1bea4cf826d5c334668ea67707f4fd712452ba0090fbd725e62df0cc3580cb63454625906b667379570f5fecae7840a5475105613025ad65e7e1e8403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
a0e49178d3ba9111e7acb900c90a6e7a

SHA1
1060c116ce376087be2682a59148b53bc8be3f45

SHA256
af307ba64177e148f677af9ce383d23a1e8d0d2fa130ff1f35d520c32abe119c

SHA512
5e43eff5c0055cf2f68e4e433d2666de702d427cd3367dc431650838d9566aa3ff86d5175021647b665e7aa18a1e0b744f817e8ec5d280b63fbb94022ae69a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
247KB

MD5
2b2ccee570db1ed3e06fb6bf9642230f

SHA1
9c32d8c03b286e565a8cb1baf1030a093ff36305

SHA256
5803c5e0cbe13abb42e18b73d50bf2931e6a7788bedc2ebb4b14c5d4ef4af683

SHA512
f596fe92800a99befe43fd9aa6aae9d3f450eb1d92effff9dc7e8a1f8f07e54d064186ec1aecebed140df22350e4d9023804e6eb7ab5ab525877345709be9131

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
247KB

MD5
a8bc2efd384d99ed855bd8fd687966d2

SHA1
e7556fa51c43342e2a89482adba9dc2b698d7221

SHA256
075fca667131e910558b5d93d96089815c10948309d66d27023ca28f8a7ae31d

SHA512
1fb41dbdea1d618a0686dc3faff0dc517408df11806165925821e480ee65c97303a3c7c496d6e323c81ce177d2c7a0109431aae52ba32d80bf74cf53f72cadde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3745ee16926653a4762a2d36e4b04658

SHA1
3b6b5bd44ba4c81f870378b3c8de0adda29c0243

SHA256
898d41bfc880cc020ce778edb5a6a868031f1a7c93a3db565cefb990826eda30

SHA512
d1cdae77e0e2dc9fe95d278d57f330225e62f901f31fe94cbe672727662ebc7936f742dc1f93c103fd17e84af904269aa26bd0ca797b3c836c60480d8dbd36ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e69dfeb630c63511f07903a002a87bc5

SHA1
9ac27d8f666e8781ca056a0cc83f60a20814b6a7

SHA256
2f6a02dc06e62f474b8c52fc4f6723111309c5602cb4b12c8be3b2b1831f704a

SHA512
040941b9d87b771bf83e1b22cb9efd7157d39db6b965779a3e9c5a2d75bf7e4fe6185e3cc9351239658a49d686071cc65342f5e7a774906969cdea38f4ae7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
50KB

MD5
c5e4269c76773c28ef25843e60012c2c

SHA1
fa01891e99e620df1cec402da799d7b7346b6005

SHA256
c09f04bbb3edaf382fc31c36c7f4210c21f5e73b6454143f7eef0157bfce20cc

SHA512
531e622604146df0cba1dc0b81c55a30946052a2be4dda921283e6fa95acc2249da7c26bcf9357e32da7de958394f191a1890beece07ee91e3600c458f52e666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
101KB

MD5
d9a256f1c5f04c0ffa87d2f097cb6e70

SHA1
35f8bd1a6d1861e8272a4ae7bfc1d81179021da4

SHA256
1b16584a5b657e769d9ee6bdbff0402ef777fda96aac4c0348048b6367459a83

SHA512
72647ffb4dd8b9ef75f145091c1171eb4607596f1df8245f03b174d093eab35f190b4ce1b44f73c5b6ed50462f40892115e99929087cd2717f4f037e52bc11eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
643KB

MD5
caeaddd6303a30b18a9f685f6b59905d

SHA1
209f5e81b10d5fcaf671ccfa5c88ee7792b5c52f

SHA256
f3cb74988f32ae77531957d15fbba99f39ff671258972890fef6ed9ee4cf094b

SHA512
a1a91e5d46d9746d9a6e9fb62a4cee16030a4f160a0aa5e3d27eab731bb93fcc16ef53da7c2890f44bdea073d01f064101ef2f0f8bd83189db6826d52a673128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
34KB

MD5
c8777769c4d08c70171e6d1f712226a0

SHA1
83c35e2fa68676ffaa18987a235a16d23a5d81a9

SHA256
599b58c74dfcfa2e0bd45bc1e5b1c8b1f67706bf0ba0b480f885802b64459a33

SHA512
65fa7725647388287d14799b02709768c6b5237d7cae6a36a2993e51aa30eae1546e8b3eb7937030f4c68969f9b474afbc8dfe5922cfc29983cf4d91904987b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
cb5fd70426bf92aad3e167bc938a2bc5

SHA1
3812970738eede845cd1e7f79338dda7ea59d56d

SHA256
65b58adc9942cd32b880d6cab49fc0c4cf55c1af809852c7c75fdc6ba68f1c22

SHA512
b50d0bdec725dc9e015aad9802082435f4929721a7a2a336c1555347ef1e58de64330ec90b6819420a3ce1a8b1af0172c6f09b265d909c5d8eb371905ba537a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
c53cdeee4334bca0197ba66091d9346f

SHA1
3026135980361f80e769375a8405acbb6ea97fcb

SHA256
3bc3f760c98b08f3d2d1b65f4f48a6ad68031aa4a66b9c73abbef6bcc0ea3557

SHA512
aaf9ba0d147697cf4af1de87deae50097403390207b1eeacdddefa573021449e4eccc140d0270455a2441aa027fd893cb3ef756dfb43dedcf9fa29ae2b3a14b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d8d2282ccdb17d3973a44d6552f64397

SHA1
f74fc8242b8b134b599c3ac389b0d18113693a9c

SHA256
135d099ae5f51ffd09577c5f35493d97b4c0b119c4f4b7a6954a5369161e9ac1

SHA512
366287be80043ac0b4ad68f3dfd7ceb4fcd64a1c3b376c2ec4664c91e2b93247d00fb32af6d27f14285503fed51099a8e24ac32328a808f4afd11a720246c999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90009f11b3e9a6b9ac63ccacf1c0f25a

SHA1
cbf0e0abdd2b1daf182561fa84adbeeda97236cb

SHA256
8dec46804d400ddb47600cd40d263bdce717f9299954ad7343bc0ac7f35e1aec

SHA512
e912fe54629f25a5c43cbf3f1dcd87b74660d829705886cfeb1445a0379c5c5842d45463c18e566975dd550809fa4afcd2e277aa2bf0db6e5728b7250e986ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
67440b2f66358f7f48721a182d741492

SHA1
41ab1f2d01df179782cc082f76f241d2c02d0703

SHA256
f860200e8071fc21b4c5de291b9512a8bb549db8b8a4c6030fb6177aa564bf8f

SHA512
1689db80a3a1852fb92b53bcc8be4fe5ad0fb0af15fbdec265f25a2e30536b336c9297ba10e506dc03729620196b573bcd6f64a84fc7191dc84eae457b4d7612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
abcd1a8a32bf8f93eff82b0909748e28

SHA1
991007900afe2a03d0ba1b2bff09bac620288bbc

SHA256
25794aad01d3cbf45888bb25c5fd53bad5f05e9f53112b909eaaadd8ad32eb2a

SHA512
87a7d6713a5cd54516b479f3e1f6d62054e1ed4254d680052cadc91e9067e0156dcb06c503044a359654c48fd72da86a437af7a6f0ca810138300a4c5f964934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
0ff996f7f316e359c6ae3da2420b9b19

SHA1
8c523329093ecd52cce2f3de19e5254c007f7839

SHA256
c8f55ef00e154ef32868baa7ed0ba574caf378b1cdbffc8276f7cfcd2f575b6b

SHA512
2ea1b1775cb34817817571ecc2c14be86a5af4f91502a9292b2a164a414a89ad1a221764e5068efc068391e9c5ffd7a0398dd0eaa32c1f30301366aab3bd1ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
7b58d93121c30527f424687159f19030

SHA1
217a7902418795c322e4bca2fc04437b97df0496

SHA256
0b362ce02ca05fc33777301d9ef15f317047de903bc04fb94df585e23c1f4b79

SHA512
f21b35e8440b388f7fdfaf1e8eb43b3c82b41a9d5f2d1e7a9401f21ccff6056fdea9dfc5b3d78c4314c69faf9be96ccfcc67d22892a4ce6593c5f550b079c82f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f61910eb37c6d2aedf1dd139b5b78da4

SHA1
c13612465b34e371933d4cd1f4195767f26c5482

SHA256
d8e7919c2240a7a91132aa6c6e5c0a99c36b005b2c68f6ca5c59e7fdbb642365

SHA512
2eeb0782aca91e53a9c7578e1d2b6964d92250df29b983819ab493c92718a00fa93f955534a243720e7fd46797006a67a76ae8f7f06b6753b8d41983522ee53c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
88c42b867ba903c98605f334a141e1ea

SHA1
3b2271d9030ec8846dd1f94c0cb68556da0ee3db

SHA256
beb54c76fb8768b1ddab0c37c18d450241ee4970cbdd9f6ea9690e3dbb4a88a9

SHA512
4b63f0035e42b600690577f72c0dcd9bca227caf60f276eef3fc9351e97ade9993e87812dd66b55c38baafcd40a7ea3df68ee03329d7d45d8630286420a6b095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
25da399aa8d0529d2c943cf5490504d6

SHA1
b1f207d00335a3a4b743aed7d8e96b0d3e8ecaaa

SHA256
85d1b43c300b8d194b474839146765a53383390cca16a34c808eb98087747ec3

SHA512
7679c2ee7530f95790cd52e8cd78582a94a716c386fd0ca1c1b92088dfdd6ec302e0a1c51579f4fc1e8c3d172cdaa2ecae8491be63cd1a55dcce2ca32203dbbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ba3ed.TMP

Filesize
1KB

MD5
6e0179df08de72285c98f6eba91711e2

SHA1
0979e2debd509e46fffa4224f02a9f7636aaff32

SHA256
669e675391d5c0978536336974bd54a3e5d7d04d6911981272fbfd2b159b8df5

SHA512
b80d2c67c7b75567cbf74faed4c7cf44349f7ab14cb4a073da800a02aa703cefced99e34c65bb12b8ea4664077a3b77f7bb15a01ea6880559b94ef01cc9c138d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a51b9c72ca4afa37fca4a5b19f027aa0

SHA1
dc87ac62f52c4b0043197d20ed7e7a2a419b9c85

SHA256
96e4cec863cc7429cf085a103500722e788ef4474d56d1bd4d1fa8689c970ee5

SHA512
cce2569ca9c96e9dea72bdf311dac5864d5f933ea6ee284ee4a69837df32dbc7970d13149158fbd3149b7e25e23335491704642d59febe8cf55768cfe3e46f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
901aa4fa8d8e89365b232b0d683f37a9

SHA1
b9012e73daab0d3792528cd198263c1b08494b02

SHA256
202a184bc1cea5d6380d51363477f116e24ca662df48ed1ff0311246d8e45a70

SHA512
95df691242312a429cbb24993c2e33c083e419229f03838dea8d9a703e53d0a3c595fe479d40527822c9c019f95ef90d8e43b88e037120c0c1109ed3621663ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
5b382fd6f654e6dcede3ea5b715e9c9b

SHA1
2e9cf547b37343e51cb7a4ac5fd53420be9ef629

SHA256
8777a4a76206f192c27bdcbb82bb3f27ef47d27d24e64203e3d2f089994ecbb3

SHA512
9d595a9e091e5b147bdc1be752bb6dd591a7c83d920f8938c6ae08ee8d4c2734b12081e30f54aeb978d2849cd397caac75d8760dd3b22f2b52368f43e7a0da70

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\18df706d-bb68-4fda-a3fc-54c37a47e64d.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\AssocProvider.dll

Filesize
136KB

MD5
702f9c8fb68fd19514c106e749ec357d

SHA1
7c141106e4ae8f3a0e5f75d8277ec830fc79eccc

SHA256
21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358

SHA512
2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\DismProv.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\EdgeProvider.dll

Filesize
200KB

MD5
c22cc16103ee51ba59b765c6b449bddb

SHA1
b0683f837e1e44c46c9a050e0a3753893ece24ad

SHA256
eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b

SHA512
2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\Ffuprovider.dll

Filesize
680KB

MD5
a41b0e08419de4d9874893b813dccb5c

SHA1
2390e00f2c2bc9779e99a669193666688064ea77

SHA256
57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3

SHA512
bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\IBSProvider.dll

Filesize
84KB

MD5
f6b7301c18f651567a5f816c2eb7384d

SHA1
40cd6efc28aa7efe86b265af208b0e49bec09ae4

SHA256
8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61

SHA512
4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\ImagingProvider.dll

Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\IntlProvider.dll

Filesize
312KB

MD5
34035aed2021763bec1a7112d53732f1

SHA1
7132595f73755c3ae20a01b6863ac9518f7b75a4

SHA256
aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731

SHA512
ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\OfflineSetupProvider.dll

Filesize
213KB

MD5
3437087e6819614a8d54c9bc59a23139

SHA1
ae84efe44b02bacdb9da876e18715100a18362be

SHA256
8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74

SHA512
018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\ProvProvider.dll

Filesize
800KB

MD5
2ef388f7769205ca319630dd328dcef1

SHA1
6dc9ed84e72af4d3e7793c07cfb244626470f3b6

SHA256
4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf

SHA512
b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\SysprepProvider.dll

Filesize
820KB

MD5
4dfa1eeec0822bfcfb95e4fa8ec6c143

SHA1
54251e697e289020a72e1fd412e34713f2e292cf

SHA256
901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494

SHA512
5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\UnattendProvider.dll

Filesize
256KB

MD5
7c61284580a6bc4a4c9c92a39bd9ea08

SHA1
4579294e3f3b6c03b03b15c249b9cac66e730d2a

SHA256
3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8

SHA512
b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\Vhdprovider.dll

Filesize
596KB

MD5
8a655555544b2915b5d8676cbf3d77ab

SHA1
5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2

SHA256
d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27

SHA512
c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BD4D277-7622-49B3-BEC8-7263F28E5968\WimProvider.dll

Filesize
672KB

MD5
bcf8735528bb89555fc687b1ed358844

SHA1
5ef5b24631d2f447c58b0973f61cb02118ae4adc

SHA256
78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c

SHA512
8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jm5ejk3a.i2f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
73881a14da9f1e0d6ff2a76bcaeee8d1

SHA1
e642da648196251c5f79a02b0b7563b48f502e5c

SHA256
a4b4f09d11cca9c3c3594c4a074aa9a57ed809290d7939ee3b70ba8bb0075bf1

SHA512
ee694841b7c29daeafcacfd2291a9b218cccc11547070afbd197f92ff3dd9eb36b3d5db699c6e731cad15bf053ef8493b80ed43b0f1f27a9b2c96a0a4ccb2894

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
83415bb8c4a9abe5d0ff05128045d34a

SHA1
94e8646f99e24e228caedcd99f36db01ddc19984

SHA256
441141f3e7da15257badb528734a296c1a621835557bee38b35373affc78819e

SHA512
763579539dceb7087f1f14c7b589bdde01ea28653a15aa2fb3f7ed766a57da34964517a19c94061e4a0d66db5e27a1284a833561960b0ac69731e9ca642a5a41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
50fc5c1b779208c5fe2af6375618d403

SHA1
c4e6fe29d5b1e239a257f7a331177fbc59749bab

SHA256
9ebfcd994a3322a828b24d3844ed9c81787bff39a246cc2ad1fe85e883afe759

SHA512
4d2d6326326934337225519ed854cc5bddc9588a97bc3ce4d4e8a056c5d85d8645555150be90080837a2c2498b26597dd55c4b384c6c8d018240356e0e9cfa40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5e2ff4fedc1696dc45ee89797adeb46a

SHA1
ee73a39e1b5896256780fa469a615b103958f9c9

SHA256
60f323ccb195c452f548b93a1a86308783168b316687da6478edfdbfed5b25a9

SHA512
4b9f7452c1743cbc4d230cb0bfb3bb6ad3b95966ad84c8f2fffdd91443f68dfb50104978ebd6e6538a8bd3a725c0bcd036a156fda2204519f2079d6c82417b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\17f124f1-ebe9-48ab-ab2c-2c8fc5037985

Filesize
982B

MD5
e564af8c46d4fc0b870c985a22b4a29b

SHA1
33c11555f042097384e43bcb308a90446a758a41

SHA256
7ab3a3896588ca4568cdc2d1cecfe0ab2e4692bf02a563da346a333f0c3bf514

SHA512
b62aa9ba99f06b9dc96ba51a7382744940399a1bc2cf876b2f616f3ad31eee3c9875a640dd02229d3c5cc30e4abbd5c85f3d0f7a950b5ed5a8f51f043bf4938e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\1f4e396b-6841-4865-acfa-0337865622bc

Filesize
671B

MD5
9b9a692e8f69f2dfa53260a7eca2bf11

SHA1
24b413c4a3510cfbe4c6ae4e1a6a989b3612dc47

SHA256
5a41e6dd1c50400e8ef02dc8c487cf134b58500a0b387d9b66a2adca2d2d74ef

SHA512
87b1cfe9f0376a31ac9a2e525a3c07059a6787d11a8c792a74069d01475922ed38c189d49db2f382e2a3defa9f7910dcc6d454e09bf937da706dec86b1422497

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\datareporting\glean\pending_pings\af4d9f67-dab8-4969-aa3b-65584a18ef86

Filesize
27KB

MD5
1f98931bf748d185436cdd5a3834be72

SHA1
6be045ee7373cf9789b830516e5ba8a4f1cf2ac9

SHA256
eb09639d117dae64efbab129cfed7974ec29063f37760ce9da301597aa5c529c

SHA512
ed683f8d10f5ad6bb56be966450a212c561ee938ebe2f5fca6c18dbf00c658113964bbaf0b5fe8b1005ec3874847e8cc75b51d16b9000aa211c1e96f60c97120

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs-1.js

Filesize
9KB

MD5
2f652c498569035f9827252b2ea4a3a6

SHA1
528820ed3c23de991fa5dba5ecf2c2fad2100352

SHA256
791911b9e8d588ee3d8e7ef3a96ec10c4f8a0a1c722a25e70fa497d406dcb8bf

SHA512
6478ebc230347374b5a4cc51f5d2c43285485f18ec8b63695a58bed264ebc73e385977ccb9696474a19a1193d808bc04af1121f597cb4e39386398877d2fc251

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs.js

Filesize
9KB

MD5
05fa35fca61ccdf68a7c0f0367cc0f57

SHA1
9fec9fc3ed47dea8051a124aea0221d5a5509f77

SHA256
6560c4b84a54ba59edd7e16a2098642b206b8ce2f5bd21c15fd1b74ea7b58fc4

SHA512
804d585046a1e949ec3a328a40a6e4e1c20d26296ff41e71b01d7509f58d363f7d2c36fb0f5dccfd0e46e167d640a7faf5d0e8093458e61e9bcffab1df6864d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\prefs.js

Filesize
9KB

MD5
53d0c9f8a49e6858a2deee7d00692b7f

SHA1
8c72e6bfa592cd0d065c467bd0f8972b4ee9a1ef

SHA256
064dc404fa74e6176219473d189200d5d05933bb59b8e707bf55290d6af5585e

SHA512
8aabffc878921510afc83c46409abdf3b9be03f6825b18d330e078cd50ed32d225c1ac2b5e7ad3a88d4c7f0d95d60b94259eac4282abfbd996751e5278dabe9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionCheckpoints.json.tmp

Filesize
212B

MD5
29ce37dc02c78bbe2e5284d350fae004

SHA1
bab97d5908ea6592aef6b46cee1ded6f34693fa2

SHA256
1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

SHA512
53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cvbzj2yx.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
08655d23c992a809e057ccb3c74a193e

SHA1
2032d4dc0c566b0b1f05777334a2ab4a4d5ac710

SHA256
8058fcfe499b67f421a8f24ba87267df6996dbb0a50642b82d2482ca3f2ca04c

SHA512
3292e18fe28d2171c11a7452815c798b4ada4054e563edd8f88da7353e63f43eda16ea853ccdb71ced1495c195641dbe010e57b3c48072dbe6a3798e0f8ab0d9

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll

Filesize
130KB

MD5
1d6ad00b8f9a8bb56e2434a6fbe561c5

SHA1
30ed45f83f84cfee06a65ee86d3e726765cf94b1

SHA256
13110873cc3980d45f2ffc63a5d0323d7596e5c965eda1b135848abc91aedeea

SHA512
a373ea52349fa513b99d41d51338250c6f24fe9765246f9a227c6f74eb2a51aacb5d2d6c77e43fb9c9ce3fb371f12fe53cb2958e5ff4dd55a17f5dea8b67027e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
77B

MD5
a9ab2a2afbd3c4b098d02fcd87a205fb

SHA1
ce38ede3b1123edf2ac90848b854996135810851

SHA256
6a1c76ab8776de4f4a87461375316ce1841c5ded8c043f2d2aba41ef69440de5

SHA512
44c9ffce4a93a63725b6a588049d15693273d50e79174991529b59976c1172febda26af8314ca6ff8f8f4d2e91ed9a153fd51e51b6528e069ded2563ed6c5020

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
285KB

MD5
e65c5b30bd400a81c5728337a5c3afd8

SHA1
fc15c36781461708e6089adffe26ed33c331ab64

SHA256
743c8f48240d441546f5691349af50daf21ecc017ced3a171a3fb624437a78b0

SHA512
c023c590f37872ce0b77870679b5365571ed29db04b3bfdb06141d79c81515d5068b728540c0f2aa63d3dc1ff22b358bd50bca16e15ca3d7543ec08176468cce

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
289KB

MD5
9e92e4e594c6a7499c3f0895b656e02b

SHA1
46b7d3077dd09745150556bb85eaa9b29986c49a

SHA256
b8cc4b8ad7be94e743eb2fb8d4e60fd479ce5abc60a63a94b478a8f56c7782a3

SHA512
dd924d329de68b96d6f6e283fb5c4bb1f57afc635189c3259358f65c59e496eed41d3085edbca699f79cfd8456c4d6ecfc5432ceff8275aa1e241ad121c0d590

Download Submit
memory/2336-1709-0x000000006F8E0000-0x000000006F95E000-memory.dmp

Filesize
504KB

Download
memory/2336-2470-0x0000000070010000-0x0000000071A0B000-memory.dmp

Filesize
26.0MB

Download
memory/2336-2467-0x000000006F9E0000-0x000000006FF86000-memory.dmp

Filesize
5.6MB

Download
memory/2336-2469-0x000000006F8E0000-0x000000006F95E000-memory.dmp

Filesize
504KB

Download
memory/2336-2466-0x000000006F960000-0x000000006F9DA000-memory.dmp

Filesize
488KB

Download
memory/2336-1708-0x000000006F880000-0x000000006F8D9000-memory.dmp

Filesize
356KB

Download
memory/2336-1703-0x000000006F960000-0x000000006F9DA000-memory.dmp

Filesize
488KB

Download
memory/2336-2468-0x000000006F880000-0x000000006F8D9000-memory.dmp

Filesize
356KB

Download
memory/2336-1710-0x0000000070010000-0x0000000071A0B000-memory.dmp

Filesize
26.0MB

Download
memory/2336-1603-0x00000000366F0000-0x0000000036700000-memory.dmp

Filesize
64KB

Download
memory/2336-1704-0x000000006F9E0000-0x000000006FF86000-memory.dmp

Filesize
5.6MB

Download
memory/2336-1578-0x00000000018E0000-0x00000000018F6000-memory.dmp

Filesize
88KB

Download
memory/4468-1188-0x0000000007610000-0x00000000076B4000-memory.dmp

Filesize
656KB

Download
memory/4468-1187-0x0000000006BF0000-0x0000000006C0E000-memory.dmp

Filesize
120KB

Download
memory/4468-1154-0x0000000005180000-0x00000000051B6000-memory.dmp

Filesize
216KB

Download
memory/4468-1155-0x0000000005840000-0x0000000005E6A000-memory.dmp

Filesize
6.2MB

Download
memory/4468-1156-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/4468-1158-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/4468-1157-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/4468-1170-0x0000000006100000-0x0000000006457000-memory.dmp

Filesize
3.3MB

Download
memory/4468-1176-0x0000000006B20000-0x0000000006B6C000-memory.dmp

Filesize
304KB

Download
memory/4468-1175-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/4468-1178-0x000000006E550000-0x000000006E59C000-memory.dmp

Filesize
304KB

Download
memory/4468-1207-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

Filesize
56KB

Download
memory/4468-1177-0x00000000075C0000-0x00000000075F4000-memory.dmp

Filesize
208KB

Download
memory/4468-1189-0x0000000007F90000-0x000000000860A000-memory.dmp

Filesize
6.5MB

Download
memory/4468-1190-0x0000000007950000-0x000000000796A000-memory.dmp

Filesize
104KB

Download
memory/4468-1191-0x00000000079D0000-0x00000000079DA000-memory.dmp

Filesize
40KB

Download
memory/4468-1192-0x0000000007BE0000-0x0000000007C76000-memory.dmp

Filesize
600KB

Download
memory/4468-1193-0x0000000007B60000-0x0000000007B71000-memory.dmp

Filesize
68KB

Download
memory/4468-1208-0x0000000007C80000-0x0000000007C9A000-memory.dmp

Filesize
104KB

Download
memory/5068-1276-0x000000006E550000-0x000000006E59C000-memory.dmp

Filesize
304KB

Download
memory/5068-1243-0x00000000063F0000-0x0000000006747000-memory.dmp

Filesize
3.3MB

Download
memory/5112-1219-0x0000000005E30000-0x0000000006187000-memory.dmp

Filesize
3.3MB

Download
memory/5112-1220-0x000000006E550000-0x000000006E59C000-memory.dmp

Filesize
304KB

Download
memory/6180-3104-0x00007FFC4E360000-0x00007FFC4E616000-memory.dmp

Filesize
2.7MB

Download
memory/6180-3106-0x00007FFC67D40000-0x00007FFC67D57000-memory.dmp

Filesize
92KB

Download
memory/6180-3115-0x00007FFC60250000-0x00007FFC60271000-memory.dmp

Filesize
132KB

Download
memory/6180-3122-0x00007FFC5F4D0000-0x00007FFC5F4E8000-memory.dmp

Filesize
96KB

Download
memory/6180-3121-0x00007FFC5F710000-0x00007FFC5F721000-memory.dmp

Filesize
68KB

Download
memory/6180-3120-0x00007FFC5F730000-0x00007FFC5F74B000-memory.dmp

Filesize
108KB

Download
memory/6180-3119-0x00007FFC5FF30000-0x00007FFC5FF41000-memory.dmp

Filesize
68KB

Download
memory/6180-3118-0x00007FFC601F0000-0x00007FFC60201000-memory.dmp

Filesize
68KB

Download
memory/6180-3117-0x00007FFC60210000-0x00007FFC60221000-memory.dmp

Filesize
68KB

Download
memory/6180-3116-0x00007FFC60230000-0x00007FFC60248000-memory.dmp

Filesize
96KB

Download
memory/6180-3113-0x00007FFC60280000-0x00007FFC602C1000-memory.dmp

Filesize
260KB

Download
memory/6180-3107-0x00007FFC63BD0000-0x00007FFC63BE1000-memory.dmp

Filesize
68KB

Download
memory/6180-3111-0x00007FFC602D0000-0x00007FFC602E1000-memory.dmp

Filesize
68KB

Download
memory/6180-3102-0x00007FF68DB60000-0x00007FF68DC58000-memory.dmp

Filesize
992KB

Download
memory/6180-3103-0x00007FFC630C0000-0x00007FFC630F4000-memory.dmp

Filesize
208KB

Download
memory/6180-3108-0x00007FFC63390000-0x00007FFC633A7000-memory.dmp

Filesize
92KB

Download
memory/6180-3110-0x00007FFC62FE0000-0x00007FFC62FFD000-memory.dmp

Filesize
116KB

Download
memory/6180-3112-0x00007FFC4D760000-0x00007FFC4D96B000-memory.dmp

Filesize
2.0MB

Download
memory/6180-3109-0x00007FFC63060000-0x00007FFC63071000-memory.dmp

Filesize
68KB

Download
memory/6180-3105-0x00007FFC69780000-0x00007FFC69798000-memory.dmp

Filesize
96KB

Download
memory/7056-3082-0x0000000070010000-0x0000000071A0B000-memory.dmp

Filesize
26.0MB

Download
memory/7056-3083-0x000000006F9E0000-0x000000006FA5E000-memory.dmp

Filesize
504KB

Download
memory/7056-3085-0x00000000733F0000-0x0000000073449000-memory.dmp

Filesize
356KB

Download
memory/7056-3084-0x000000006F960000-0x000000006F9DA000-memory.dmp

Filesize
488KB

Download
memory/7056-3053-0x0000000001360000-0x0000000001376000-memory.dmp

Filesize
88KB

Download
memory/7056-3064-0x00000000366F0000-0x0000000036700000-memory.dmp

Filesize
64KB

Download
memory/7056-3077-0x000000006FA60000-0x0000000070006000-memory.dmp

Filesize
5.6MB

Download
memory/7056-3076-0x00000000733F0000-0x0000000073449000-memory.dmp

Filesize
356KB

Download
memory/7056-3075-0x000000006F960000-0x000000006F9DA000-memory.dmp

Filesize
488KB

Download
memory/7056-3074-0x000000006F9E0000-0x000000006FA5E000-memory.dmp

Filesize
504KB

Download
memory/7056-3073-0x0000000070010000-0x0000000071A0B000-memory.dmp

Filesize
26.0MB

Download
memory/7056-3086-0x000000006FA60000-0x0000000070006000-memory.dmp

Filesize
5.6MB

Download